11/09/2020 10:48:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227273 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x198 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227272 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:48:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227274 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227275 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227274 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227273 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227272 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:48:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227275 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f0 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227281 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227280 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x204 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227279 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227278 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227277 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x204 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227276 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x204 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x198 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227285 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227284 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227283 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x264 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227282 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x264 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227300 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227298 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227297 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227296 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227295 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BBC Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227294 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BAA Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227293 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BBC Linked Logon ID: 0x58BAA Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x29c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227292 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58BAA Linked Logon ID: 0x58BBC Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x29c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227291 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x29c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227286 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x51E00 11/09/2020 10:48:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227281 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227280 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x208 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227279 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x24c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227278 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227277 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x208 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227276 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x19c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227286 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x51DF6 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227285 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227284 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227283 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Process Creation OpCode=Info RecordNumber=227282 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227306 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227305 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227304 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227300 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227298 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227297 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227296 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227295 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B54 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227294 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B42 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227293 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B54 Linked Logon ID: 0x58B42 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227292 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B42 Linked Logon ID: 0x58B54 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227291 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2a0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227314 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227313 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x614D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227310 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227309 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:48:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227306 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:49:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227305 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227304 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227313 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x61A66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227310 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227309 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Special Logon OpCode=Info RecordNumber=227308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:49:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Logon OpCode=Info RecordNumber=227307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Other System Events OpCode=Info RecordNumber=227314 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:49:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227317 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 11/09/2020 10:49:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227316 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:20 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x14 User Account Control: 'Password Not Required' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:49:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227315 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:49:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227318 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0xa34 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:49:21.140151800Z New Time: ‎2020‎-‎11‎-‎09T10:49:21.129000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:49:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227317 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 11/09/2020 10:49:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227316 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:23 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x14 User Account Control: 'Password Not Required' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:49:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=User Account Management OpCode=Info RecordNumber=227315 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-H0SHIJ3 Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:49:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Security State Change OpCode=Info RecordNumber=227318 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-H0SHIJ3$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0xa1c Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:49:24.055666500Z New Time: ‎2020‎-‎11‎-‎09T10:49:24.041000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:49:28 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Service shutdown OpCode=Info RecordNumber=227319 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 10:49:31 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-H0SHIJ3 TaskCategory=Service shutdown OpCode=Info RecordNumber=227319 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 10:49:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227322 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227321 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227320 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227333 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5568 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227332 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security State Change OpCode=Info RecordNumber=227331 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227330 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227329 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227328 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227327 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227326 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x234 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227325 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x22c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227324 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ec New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:49:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227323 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227348 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227347 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227346 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227345 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227344 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227343 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227342 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0BE Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227341 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0AB Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227340 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0BE Linked Logon ID: 0xA0AB Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227339 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0AB Linked Logon ID: 0xA0BE Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227338 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227337 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227336 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227335 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227334 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227322 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227321 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227320 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227330 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227329 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x234 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227328 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227327 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x22c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227326 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x234 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227325 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x22c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227324 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227323 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227348 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227347 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227346 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227345 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227344 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227343 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227342 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0E3 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227341 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0D0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227340 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0E3 Linked Logon ID: 0xA0D0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227339 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA0D0 Linked Logon ID: 0xA0E3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227338 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227337 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227336 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227335 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227334 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227333 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x555D 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227332 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security State Change OpCode=Info RecordNumber=227331 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 10:50:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security State Change OpCode=Info RecordNumber=227351 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x460 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:50:05.666931400Z New Time: ‎2020‎-‎11‎-‎09T10:50:05.656000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227432 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: WIN-HOST-8\None Group Name: None Group Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227431 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\None Account Domain: EC2AMAZ-DRAP9BO Old Account Name: None New Account Name: None Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227430 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: WIN-HOST-8\None Group Name: None Group Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227429 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227428 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227427 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227426 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227425 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:20 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227424 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:20 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227423 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227422 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\System Managed Group Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227421 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227420 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227419 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Storage Replica Administrators Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227418 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227417 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227416 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Management Users Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227415 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227414 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227413 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Access Control Assistance Operators Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227412 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227411 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227410 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Hyper-V Administrators Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227409 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227408 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227407 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Management Servers Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227406 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227405 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227404 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Endpoint Servers Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227403 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227402 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227401 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Remote Access Servers Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227400 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227399 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227398 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Certificate Service DCOM Access Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227397 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227396 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227395 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Event Log Readers Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227394 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227393 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227392 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Cryptographic Operators Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227391 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227390 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227389 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\IIS_IUSRS Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227388 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227387 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227386 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Distributed COM Users Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227385 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227384 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227383 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Log Users Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227382 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227381 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227380 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Monitor Users Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227379 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227378 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Power Users Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227377 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Power Users Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227376 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Power Users Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227375 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227374 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Network Configuration Operators Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227373 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227372 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227371 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Desktop Users Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227370 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227369 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227368 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Replicator Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227367 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227366 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227365 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Backup Operators Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227364 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227363 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227362 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Guests Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227361 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227360 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227359 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Users Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227358 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227357 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227356 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Administrators Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227355 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227354 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227353 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Print Operators Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: - 11/09/2020 10:50:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227352 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227435 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:50:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227434 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227433 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227447 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227446 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227445 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227444 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x198C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227443 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227442 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227441 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227439 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227438 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227437 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227436 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security State Change OpCode=Info RecordNumber=227351 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x44c Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎11‎-‎09T10:50:08.943682700Z New Time: ‎2020‎-‎11‎-‎09T10:50:08.934000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227450 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227449 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227448 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227432 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227431 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Domain Users Account Domain: EC2AMAZ-VS2L7UP Old Account Name: None New Account Name: None Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227430 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227429 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227428 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227427 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227426 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227425 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:23 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227424 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:49:23 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227423 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227422 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\System Managed Group Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227421 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227420 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227419 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Storage Replica Administrators Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227418 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227417 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227416 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Management Users Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227415 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227414 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227413 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Access Control Assistance Operators Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227412 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227411 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227410 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Hyper-V Administrators Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227409 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227408 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227407 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Management Servers Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227406 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227405 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227404 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Endpoint Servers Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227403 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227402 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227401 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Remote Access Servers Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227400 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227399 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227398 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Certificate Service DCOM Access Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227397 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227396 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227395 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Event Log Readers Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227394 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227393 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227392 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Cryptographic Operators Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227391 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227390 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227389 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\IIS_IUSRS Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227388 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227387 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227386 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Distributed COM Users Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227385 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227384 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227383 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Log Users Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227382 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227381 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227380 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Monitor Users Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227379 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227378 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227377 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: NONE_MAPPED Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227376 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227375 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227374 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Network Configuration Operators Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227373 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227372 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227371 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Desktop Users Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227370 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227369 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227368 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Replicator Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227367 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227366 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227365 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Backup Operators Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227364 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227363 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227362 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Guests Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227361 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227360 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227359 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Users Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227358 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227357 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227356 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Administrators Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227355 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227354 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227353 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Print Operators Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: - 11/09/2020 10:50:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227352 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227452 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227451 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227437 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227436 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227435 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227434 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227433 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227449 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227448 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227447 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227446 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1B544 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227445 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227444 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227443 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227442 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227441 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227439 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227438 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227456 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227455 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227454 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227453 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227452 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227451 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227450 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227456 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227455 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227454 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 10:50:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227453 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 10:50:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227458 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227457 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227458 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227457 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227460 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227459 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227460 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227459 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227466 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227465 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:50:34 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x10 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227464 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xcc4 Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227463 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227462 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227461 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227466 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227465 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 10:50:34 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x10 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227464 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xcec Process Name: C:\Windows\System32\net1.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227463 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227462 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227461 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x76FF7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x76FF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x998 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227471 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x998 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227470 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227469 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227468 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227467 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x79099 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x79099 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xab0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227471 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xab0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227470 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227469 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227468 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227467 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x888 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 10:50:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227474 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3d0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227474 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 10:50:45 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Service shutdown OpCode=Info RecordNumber=227475 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 10:50:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security State Change OpCode=Info RecordNumber=227476 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4c4 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎11‎-‎09T10:50:48.023605200Z New Time: ‎2020‎-‎11‎-‎09T10:50:48.014000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 10:50:48 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Service shutdown OpCode=Info RecordNumber=227475 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:24:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227478 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227477 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227476 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227484 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x350 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227483 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x314 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227482 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2fc New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227481 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227480 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227479 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ac New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227488 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security State Change OpCode=Info RecordNumber=227487 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227486 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x394 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x314 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Process Creation OpCode=Info RecordNumber=227485 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x314 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227493 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227491 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227490 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227489 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x70E2 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227505 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227504 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FC1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227503 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FB0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FC1 Linked Logon ID: 0x10FB0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227501 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10FB0 Linked Logon ID: 0x10FC1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227500 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227499 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227498 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227495 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227494 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227516 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227515 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227514 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x16AEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227513 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227511 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227510 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227509 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227508 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227507 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227506 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:24:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227519 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:24:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227518 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227517 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:24:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227521 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:24:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227520 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227523 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227522 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227529 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227528 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 11:25:26 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227527 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xfcc Process Name: C:\Windows\System32\net1.exe 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227526 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227525 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227524 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227532 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227531 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227530 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0xb08 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227537 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xbe0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227534 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xbe0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227533 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227541 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227540 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 11:25:33 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227539 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0x0 Process Name: - 11/09/2020 11:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=User Account Management OpCode=Info RecordNumber=227538 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Process Information: Process ID: 0x0 Process Name: - 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227551 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227550 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227549 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227548 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227547 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227546 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227545 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227544 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=System Integrity OpCode=Info RecordNumber=227543 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:25:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Other System Events OpCode=Info RecordNumber=227542 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x6F65E Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:25:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227553 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227552 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227558 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227557 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7E657 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227556 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7E657 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227555 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227554 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227612 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7FCB9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227611 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8114F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227610 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8114F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227609 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227608 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227607 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81057 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227606 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81057 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227605 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81057 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227604 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227603 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227602 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x80619 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227601 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x80619 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227600 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x80619 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227599 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227598 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227597 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7FCB9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227596 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7FCB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227595 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227594 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227593 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227592 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F7F5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227591 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F7F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227590 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227589 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227588 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F70C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227587 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EF66 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227586 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F444 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227585 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F70C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227584 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F70C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227583 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227582 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227581 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F6D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227580 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F6D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227579 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F6D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227578 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227577 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227576 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F64E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227575 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F64E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227574 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F64E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227573 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227572 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227571 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F444 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227570 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F444 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227569 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227568 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227567 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227566 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EF66 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227565 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EF66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227564 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227563 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227562 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EE0F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227561 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EE0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227560 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227559 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227667 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x858F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227666 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x858F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227665 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227664 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227663 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227662 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85310 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227661 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85310 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227660 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227659 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227658 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x84CBC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227657 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x851B5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227656 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x851B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227655 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227654 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227653 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x850E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227652 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x850E0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227651 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x850E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227650 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227649 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x84CBC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x84CBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227646 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227645 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227644 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227643 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83830 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227642 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83830 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227641 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227640 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227639 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7EE0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227638 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81E29 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227637 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83779 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227636 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83779 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227635 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227634 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227633 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83748 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83748 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227631 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x83748 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227630 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227629 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227628 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x82542 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227627 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x82542 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227626 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x82542 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227625 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227624 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227623 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81E29 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227622 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81E29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227621 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227620 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227619 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227618 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81551 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227617 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x81551 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227616 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227615 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227614 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8114F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227613 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x7F7F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227713 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89575 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227712 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89575 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227711 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227710 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227709 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88A45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227708 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88A45 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227707 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88A45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227706 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227705 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227704 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88047 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227703 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88047 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227702 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227701 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227700 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227699 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x876E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227698 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x876E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227697 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227696 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227695 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227694 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x859F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227693 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85F72 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227692 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227691 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227690 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227689 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227688 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227687 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227686 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x875C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227685 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227684 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227683 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x86261 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227682 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x86261 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x86261 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227680 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227679 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227678 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85F72 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227677 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85F72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227676 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227675 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227674 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227673 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x859F3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227672 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x859F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227671 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227670 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227669 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x858F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227668 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x85310 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227719 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x88047 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227718 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x895AE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227717 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x895AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227716 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227715 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227714 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89575 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227736 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8C044 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227735 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8C044 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227734 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227733 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227732 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8B06A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227731 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8B06A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227730 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227729 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227728 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8A2DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227727 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8A2DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227726 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227725 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227724 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227723 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89E12 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227722 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89E12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227721 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227720 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227740 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8CCA9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227739 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8CCA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227738 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:25:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227737 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227741 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x89E12 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf20 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227772 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA20BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227771 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA20BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227770 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227769 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227768 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0488 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227767 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0488 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227766 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227765 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227764 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0152 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227763 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0152 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227762 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227761 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227760 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227759 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9FA88 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227758 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9FA88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227757 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227756 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227755 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F9A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227754 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8A2DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227753 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F9A3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227752 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F9A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227751 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227750 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227749 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F96F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227748 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F96F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227747 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9F96F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227746 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227745 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227744 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8CCA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227743 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8C044 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227742 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x8B06A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227791 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3234 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227790 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0x9FA88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227789 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0152 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227788 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3234 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227787 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3234 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227786 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227785 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227784 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3203 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227783 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3203 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227782 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3203 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227781 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227780 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227779 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA2FBB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227778 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA20BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA0488 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA2FBB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA2FBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227773 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227808 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA5796 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227807 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA5796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227806 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227805 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227804 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3B0E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227803 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3B0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227802 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227801 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227800 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA385A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227799 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA385A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227798 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227797 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227796 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227795 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA33A2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227794 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA33A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227793 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227792 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227812 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA623B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227811 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA623B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227810 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227809 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227817 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xB4B3A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227816 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xB4B3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227815 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227814 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227813 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA623B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227829 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227828 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227827 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227826 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227825 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227824 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227821 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227820 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xccc Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227819 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227818 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x384 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227861 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0131 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227860 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227859 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227858 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227857 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCE0BA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227856 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCE0BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227855 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227854 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227853 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCDDD5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCDDD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227851 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227850 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227849 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227848 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD41D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227847 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD41D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227846 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227845 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227844 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD1C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227843 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA33A2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227842 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA385A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227841 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD1C5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227840 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD1C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227839 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227838 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227837 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD170 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227836 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD170 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227835 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD170 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227834 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227833 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227832 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xB4B3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227831 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA5796 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227830 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xA3B0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227872 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD153C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227871 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD153C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227870 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227869 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227868 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0E49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227867 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0131 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227866 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCE0BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227865 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0E49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227864 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD0E49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227863 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227862 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227897 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4179 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227896 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4179 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227895 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227894 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227893 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD24B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227892 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD24B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227891 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227890 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227889 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD20BF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227888 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD20BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227887 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227886 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227885 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227884 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD1684 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227883 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD1684 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227882 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227881 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227880 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD15A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227879 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCD41D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227878 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xCDDD5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227877 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD15A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227876 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD15A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227875 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227874 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227873 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD153C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227920 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5785 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227919 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5785 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227918 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227917 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227916 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD568A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD1684 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227914 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD20BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227913 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD568A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227912 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD568A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227911 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227910 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227909 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5659 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227908 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5659 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227907 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5659 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227906 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227905 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227904 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4DFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227903 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4179 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD24B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227901 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4DFB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227900 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD4DFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227899 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227898 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227949 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9289 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227948 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9289 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227947 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9289 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227946 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227945 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227944 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD73B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227943 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD73B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227942 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD73B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227941 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227940 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227939 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD710C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227938 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD710C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227937 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227936 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227935 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD70DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227934 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD70DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227933 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD70DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227932 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227931 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227930 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5F42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227929 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5F42 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227928 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5F42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227927 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227926 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227925 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5C5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227924 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD5C5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227923 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227922 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Security Group Management OpCode=Info RecordNumber=227921 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227966 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDAA8E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227965 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDAA8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227964 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227963 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227962 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDA452 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227961 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDA452 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227960 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDA452 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227959 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227958 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227957 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9649 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227956 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD9649 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227955 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227954 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227953 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD92D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227952 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xD92D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227951 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227950 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=228001 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDCC8F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=228000 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDCC8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227999 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227998 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227997 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB821 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227996 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB821 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227995 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB821 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227994 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227993 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227992 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB568 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227991 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB568 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227990 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227989 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Special Logon OpCode=Info RecordNumber=227988 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB122 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227987 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDB122 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-VS2L7UP Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logon OpCode=Info RecordNumber=227986 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x54c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Credential Validation OpCode=Info RecordNumber=227985 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-VS2L7UP Error Code: 0x0 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227984 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227983 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227982 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227981 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227980 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227979 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227978 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227977 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227976 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227975 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_elambkup_0bc02aa0c28485f3.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227974 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227973 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227972 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227971 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227970 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x5c Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227969 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227968 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-VS2L7UP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe14 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Logoff OpCode=Info RecordNumber=227967 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-VS2L7UP Logon ID: 0xDAA8E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:26:55 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-VS2L7UP TaskCategory=Service shutdown OpCode=Info RecordNumber=228002 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:27:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228005 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228004 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=228003 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228011 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x304 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228010 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228009 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228008 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228007 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228006 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228020 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228019 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228018 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228017 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228016 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x552C 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228015 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security State Change OpCode=Info RecordNumber=228014 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228013 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Process Creation OpCode=Info RecordNumber=228012 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x34c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228043 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x12A13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228042 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228041 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228040 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228039 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228038 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228037 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228036 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228035 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228034 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228033 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228032 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228031 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228030 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228029 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228028 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228027 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228026 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228025 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA323 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228024 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA302 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228023 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA323 Linked Logon ID: 0xA302 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228022 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA302 Linked Logon ID: 0xA323 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228021 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=System Integrity OpCode=Info RecordNumber=228050 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:27:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228049 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:27:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=System Integrity OpCode=Info RecordNumber=228048 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:27:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228047 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:27:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228046 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x254 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:27:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228045 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x254 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:27:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228044 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:27:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=System Integrity OpCode=Info RecordNumber=228052 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:27:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228051 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:27:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228056 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x27C59 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228055 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x27C59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228054 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228053 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228065 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x28436 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228064 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x28436 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228063 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228062 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228061 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x282E1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228060 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x282E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228059 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228058 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228057 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x254 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228083 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x299BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228082 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x299BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228081 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228080 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228079 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x29760 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228078 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x29760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228077 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228076 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228075 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x29501 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228074 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x29501 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228073 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228072 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228071 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x294BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228070 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x294BE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228069 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x294BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228068 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228067 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228066 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x28436 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228096 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A451 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228095 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x29501 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228094 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x29760 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228093 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A451 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228092 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A451 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228091 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228090 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228089 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A420 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228088 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A420 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228087 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A420 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228086 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228085 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228084 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x299BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228112 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2BBC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228111 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2BBC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228110 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228109 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228108 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A951 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228107 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A951 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228106 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228105 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228104 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A744 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228103 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A744 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228102 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228101 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228100 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A4E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228099 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A4E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228098 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228097 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228116 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2C060 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228115 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2C060 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228114 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228113 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228121 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x346F0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:27:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228120 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x346F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:27:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228119 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:27:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228118 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:27:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228117 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2C060 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228281 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228280 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228279 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228278 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228277 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228276 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228275 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228274 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228273 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228272 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228271 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228270 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228269 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228268 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228267 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228266 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228265 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228264 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228263 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228262 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228261 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228260 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228259 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228258 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228257 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228256 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228255 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228254 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228253 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228252 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228251 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228250 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228249 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228248 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228247 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228246 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228245 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228244 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228243 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228242 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228241 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228240 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228239 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228238 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228237 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228236 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228235 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228234 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228233 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerCache_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228232 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServer_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228231 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Types.ps1xml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228230 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Format.ps1xml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228229 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServer.psd1 Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228228 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dnsperf.dll Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228227 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228226 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228225 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228224 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228223 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228222 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228221 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228220 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228219 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228218 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228217 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228216 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228215 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228214 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228213 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228212 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228211 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228210 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228209 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228208 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228207 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228206 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228205 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228204 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228203 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228202 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228201 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228200 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228199 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228198 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228197 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228196 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228195 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228194 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228193 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228192 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228191 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228190 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228189 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228188 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228187 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228186 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228185 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228184 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228183 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228182 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228181 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228180 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228179 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerCache_v1.0.0.cdxml Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228178 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServer_v1.0.0.cdxml Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228177 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Types.ps1xml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228176 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Format.ps1xml Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228175 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServer.psd1 Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228174 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsserverpsprovider_uninstall.mfl Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228173 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsserverpsprovider.mfl Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228172 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsserverpsprovider.dll.mui Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228171 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsprov.mfl Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228170 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dnsetw.mfl Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228169 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\DnsServerPsProvider_Uninstall.mof Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228168 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\DnsServerPsProvider.mof Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228167 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsserverpsprovider.dll Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228166 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsprov.mof Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228165 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsprov.dll Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228164 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dnsetw.mof Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228163 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DNSmgr.dll.mui Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228162 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dnsmgmt.msc Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228161 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dnscmd.exe.mui Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228160 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dns.exe.mui Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228159 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\PLACE.DNS Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228158 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\CACHE.DNS Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228157 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\BOOT Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228156 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns\samples\192.DNS Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228155 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnsperf.dll Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228154 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnsmgr.dll Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228153 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnsmgmt.msc Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228152 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dnscmd.exe Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228151 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dns.exe Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228150 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DNS\0409\dnsperf.ini Handle ID: 0x7c0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228149 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DNS\0000\dnsperf.ini Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228148 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DNS\dnsperf.h Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228147 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\DnsServer.Events.xml Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228146 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_event_viewer_views_serverroles_36b1368cd034c4a0.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228145 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228144 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228143 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228142 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228141 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228140 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228139 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_dns_0000_a9f422c913ee6b04.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228138 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_dns_0409_a9f42a7313ee5f4f.cdf-ms Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228137 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_dns_b45bd646559d7e38.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228136 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228135 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dns_samples_12e6b2bbbaf4ad18.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228134 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228133 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_en-us_4555b1beb1c13883.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228132 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228131 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dnsserver_b0e2c53d0808a92c.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228130 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228129 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228128 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228127 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_dnsserver_0e521656ba347d64.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228126 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228125 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228124 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x7cc Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228123 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x7c4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228122 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x7c8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228283 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228282 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228300 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228299 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228298 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228297 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228296 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228295 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228294 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228293 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228292 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Security Group Management OpCode=Info RecordNumber=228291 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x501F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x501F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228286 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228285 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228284 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x346F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228330 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5D6E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228329 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5D6E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228328 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228327 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228326 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5C2E7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228325 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5C2E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228324 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228323 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228322 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5C118 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228321 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5C118 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228320 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228319 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228318 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228317 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228316 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228315 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228314 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BDAD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228313 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A744 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BDAD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BDAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228310 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228309 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228308 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BD7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228307 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BD7C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228306 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BD7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228305 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228304 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228303 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x501F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228302 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2BBC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228301 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A951 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228341 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=System Integrity OpCode=Info RecordNumber=228340 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228339 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=System Integrity OpCode=Info RecordNumber=228338 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228337 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228336 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228335 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228334 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5DC63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228333 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5DC63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228332 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228331 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=System Integrity OpCode=Info RecordNumber=228343 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:28:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228342 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:28:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=System Integrity OpCode=Info RecordNumber=228345 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:28:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Other System Events OpCode=Info RecordNumber=228344 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228369 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5C118 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228368 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F78F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228367 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F78F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228366 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228365 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228364 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F75E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228363 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F75E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228362 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F75E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228361 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228360 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228359 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5DC63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228358 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5D6E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228357 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5C2E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=User Account Management OpCode=Info RecordNumber=228356 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=User Account Management OpCode=Info RecordNumber=228355 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=User Account Management OpCode=Info RecordNumber=228354 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=User Account Management OpCode=Info RecordNumber=228353 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228352 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F660 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228351 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F660 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228350 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F660 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228349 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=User Account Management OpCode=Info RecordNumber=228348 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: WIN-DC-259 Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=User Account Management OpCode=Info RecordNumber=228347 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: WIN-DC-259 Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:28:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=User Account Management OpCode=Info RecordNumber=228346 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Process Information: Process ID: 0x9f4 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228387 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x61096 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228386 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x61096 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228385 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228384 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228383 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5FC38 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228382 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5FC38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228381 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228380 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228379 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5FA3A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228378 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5FA3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228377 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228376 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228375 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F7DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228374 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F7DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228373 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228372 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228371 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F78F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228370 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5BE05 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228391 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x61DA9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228390 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x61DA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228389 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228388 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228560 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Types.ps1xml Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228559 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.psd1 Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228558 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Format.ps1xml Handle ID: 0x9f0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228557 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\schmmgmt.dll.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228556 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\repadmin.exe.mui Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228555 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\rendom.exe.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228554 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\redirusr.exe.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228553 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\redircmp.exe.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228552 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ntfrsapi.dll.mui Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228551 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ntdsutil.exe.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228550 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ldp.exe.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228549 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ldifde.exe.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228548 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpfixup.exe.mui Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228547 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsuiwiz.dll.mui Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228546 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dssite.msc Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228545 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsrm.exe.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228544 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsquery.exe.mui Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228543 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsmove.exe.mui Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228542 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsmod.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228541 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsmgmt.exe.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228540 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsget.exe.mui Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228539 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsdbutil.exe.mui Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228538 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsadmin.dll.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228537 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsadd.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228536 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsacls.exe.mui Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228535 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dsa.msc Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228534 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\domain.msc Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228533 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\domadmin.dll.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228532 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dcpromoui.dll.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228531 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dcpromocmd.dll.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228530 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dcdiag.exe.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228529 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\csvde.exe.mui Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228528 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\adsiedit.msc Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228527 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\adsiedit.dll.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228526 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\adprop.dll.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228525 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\schmmgmt.dll Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228524 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\repadmin.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228523 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rendom.exe Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228522 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\redirusr.exe Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228521 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\redircmp.exe Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228520 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntfrsapi.dll Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228519 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntdsutil.exe Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228518 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ldp.exe Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228517 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ldifde.exe Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228516 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpfixup.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228515 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsuiwiz.dll Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228514 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dssite.msc Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228513 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsrm.exe Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228512 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsquery.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228511 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsmove.exe Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228510 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsmod.exe Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228509 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsmgmt.exe Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228508 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsget.exe Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228507 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsdbutil.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228506 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsadmin.dll Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228505 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsadd.exe Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228504 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsacls.exe Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228503 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dsa.msc Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228502 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\domain.msc Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228501 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\domadmin.dll Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228500 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\delegwiz.inf Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228499 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dcpromoui.dll Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228498 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dcpromocmd.dll Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228497 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dcdiag.exe Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228496 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\csvde.exe Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228495 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\adsiedit.msc Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228494 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\adsiedit.dll Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228493 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\adprop.dll Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228492 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\ActiveDirectoryPowerShellResources.dll.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228491 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectoryPowerShellResources.dll Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228490 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Types.ps1xml Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228489 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.psd1 Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228488 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.Format.ps1xml Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228487 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\schmmgmt.dll.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228486 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\repadmin.exe.mui Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228485 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\rendom.exe.mui Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228484 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\redirusr.exe.mui Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228483 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\redircmp.exe.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228482 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrsapi.dll.mui Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228481 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsutil.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228480 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ldp.exe.mui Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228479 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ldifde.exe.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228478 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpfixup.exe.mui Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228477 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsuiwiz.dll.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228476 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dssite.msc Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228475 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsrm.exe.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228474 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsquery.exe.mui Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228473 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsmove.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228472 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsmod.exe.mui Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228471 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsmgmt.exe.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228470 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsget.exe.mui Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228469 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsdbutil.exe.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228468 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsadmin.dll.mui Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228467 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsadd.exe.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228466 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsacn.dll.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228465 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsacls.exe.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228464 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsa.msc Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228463 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\domain.msc Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228462 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\domadmin.dll.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228461 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dcpromoui.dll.mui Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228460 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dcpromocmd.dll.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228459 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dcdiag.exe.mui Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228458 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\csvde.exe.mui Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228457 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adsiedit.msc Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228456 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adsiedit.dll.mui Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228455 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adprop.dll.mui Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228454 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en\Microsoft.ActiveDirectory.Management.resources.dll Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228453 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en\dsac.resources.dll Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228452 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\schmmgmt.dll Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228451 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\repadmin.exe Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228450 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rendom.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228449 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\redirusr.exe Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228448 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\redircmp.exe Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228447 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsapi.dll Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228446 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsutil.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228445 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ldp.exe Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228444 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ldifde.exe Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228443 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpfixup.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228442 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsuiwiz.dll Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228441 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dssite.msc Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228440 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsrm.exe Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228439 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsquery.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228438 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsmove.exe Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228437 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsmod.exe Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228436 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsmgmt.exe Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228435 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsget.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228434 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsdbutil.exe Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228433 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsadmin.dll Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228432 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsadd.exe Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228431 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsacn.dll Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228430 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsacls.exe Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228429 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsac.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228428 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsa.msc Handle ID: 0x914 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228427 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\domain.msc Handle ID: 0x520 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228426 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\domadmin.dll Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228425 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\delegwiz.inf Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228424 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dcpromoui.dll Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228423 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dcpromocmd.dll Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228422 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dcdiag.exe Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228421 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\csvde.exe Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228420 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adsiedit.msc Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228419 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adsiedit.dll Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228418 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprop.dll Handle ID: 0x5b4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228417 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228416 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228415 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228414 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228413 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228412 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228411 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en_9da4492827ac64e5.cdf-ms Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228410 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0x5a0 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228409 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_activedirectory_en-us_8c3f31d53041388d.cdf-ms Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228408 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_activedirectory_bedd0f1af87a5c73.cdf-ms Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228407 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228406 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228405 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228404 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_en-us_9e576ab077991fe8.cdf-ms Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228403 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_activedirectory_en-us_a57c0c93e0b20e55.cdf-ms Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228402 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_activedirectory_5d166ad940a9b76d.cdf-ms Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228401 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228400 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228399 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x5e8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228398 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x754 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228397 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0xa50 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228396 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x73192 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228395 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x73192 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228394 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228393 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228392 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x61DA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228587 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81B8B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228586 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81B8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228585 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228584 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228583 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81982 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228582 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81982 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228581 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228580 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228579 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x8166B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228578 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x8166B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228577 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228576 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228575 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81614 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228574 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5F7DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228573 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5FA3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228572 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81614 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228571 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81614 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228570 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228569 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228568 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x815DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228567 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x815DE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228566 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x815DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228565 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228564 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228563 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x73192 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228562 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x61096 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228561 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x5FC38 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228595 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x844C1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228594 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x844C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228593 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228592 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228591 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x82EB7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228590 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x82EB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228589 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228588 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228937 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\ntdsperf.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228936 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gptedit.msc Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228935 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPRSoP.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228934 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpregistrybrowser.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228933 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpprefcn.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228932 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpprefbr.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228931 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gppref.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228930 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPOAdminCustom.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228929 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPOAdminCommon.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228928 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\GPOAdmin.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228927 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpmgmt.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228926 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpme.msc Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228925 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpme.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228924 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\gpmc.msc Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228923 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dfsrPropagationStrings.xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228922 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\DfsrHelper.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228921 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dfsrHealthStrings.xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228920 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\dfsrHealthMessages.xml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228919 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\DfsRes.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228918 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\DfsfrsHost.exe.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228917 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NTFRSPRF.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228916 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntdsperf.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228915 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gptedit.msc Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228914 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPRSoP.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228913 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPOAdminCustom.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228912 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPOAdminCommon.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228911 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GPOAdmin.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228910 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpmgmt.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228909 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpme.msc Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228908 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpme.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228907 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gpmc.msc Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228906 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfsrPropagationReport.xsl Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228905 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DfsrHelper.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228904 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfsrHealthReport.xsl Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228903 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DfsRes.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228902 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfsfrsHost.exe Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228901 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.psd1 Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228900 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.format.ps1xml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228899 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceServerConfig\DfsNamespaceserverconfig.types.ps1xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228898 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceServerConfig\DfsNamespaceServerConfig.format.ps1xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228897 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceServerConfig\DfsNamespaceserverconfig.cdxml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228896 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceRootTarget\DfsNamespaceRootTarget.types.ps1xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228895 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceRootTarget\DfsNamespaceRootTarget.format.ps1xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228894 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceRootTarget\DfsNamespaceRootTarget.cdxml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228893 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolderTarget\DfsNamespaceFolderTarget.types.ps1xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228892 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolderTarget\DfsNamespaceFolderTarget.format.ps1xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228891 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolderTarget\DfsNamespaceFolderTarget.cdxml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228890 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolder\DfsNamespaceFolder.types.ps1xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228889 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolder\DfsNamespaceFolder.format.ps1xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228888 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceFolder\DfsNamespaceFolder.cdxml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228887 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceAccess\DfsNamespaceAccess.types.ps1xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228886 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceAccess\DfsNamespaceAccess.format.ps1xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228885 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespaceAccess\DfsNamespaceAccess.cdxml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228884 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespace\DfsNamespace.types.ps1xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228883 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespace\DfsNamespace.format.ps1xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228882 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\MSFT_DFSNamespace\DfsNamespace.cdxml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228881 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DFSN\dfsn.psd1 Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228880 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ADDSDeployment\ADDSDeployment.psd1 Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228879 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\replprov.mfl Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228878 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrwmiv2_uninstall.mfl Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228877 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrwmiv2.mfl Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228876 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrwmiv2.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228875 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsrprovs.mfl Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228874 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsncimprov_Uninstall.mfl Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228873 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\en-US\dfsncimprov.mfl Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228872 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\adstatus\en-US\trustmon.mfl Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228871 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\adstatus\en-US\trustmon.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228870 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\adstatus\trustmon.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228869 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\ntdsa.mof Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228868 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\kdcsvc.mof Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228867 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrwmiv2_uninstall.mof Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228866 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrwmiv2.mof Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228865 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrwmiv2.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228864 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsrprovs.mof Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228863 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsncimprov_Uninstall.mof Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228862 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\dfsncimprov.mof Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228861 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\adwsmigrate.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228860 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\replprov.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228859 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\propshts.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228858 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrsutl.exe.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228857 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrsres.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228856 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntfrs.exe.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228855 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsperf.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228854 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsmsg.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228853 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsbmsg.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228852 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsatq.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228851 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ntdsa.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228850 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ldifde.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228849 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\KdsSvc.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228848 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\kdcsvc.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228847 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\kdcpw.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228846 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ismserv.exe.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228845 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gptedit.msc Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228844 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPRSoP.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228843 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpregistrybrowser.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228842 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpprefcn.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228841 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpprefbr.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228840 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gppref.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228839 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPOAdminCustom.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228838 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPOAdminCommon.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228837 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\GPOAdmin.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228836 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpmgmt.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228835 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpme.msc Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228834 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpme.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228833 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\gpmc.msc Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228832 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsrolesrv.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228831 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsutil.exe.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228830 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfssvc.exe.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228829 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrs.exe.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228828 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrress.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228827 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrPropagationStrings.xml Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228826 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrmig.exe.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228825 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DfsrHelper.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228824 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrHealthStrings.xml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228823 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsrHealthMessages.xml Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228822 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DfsRes.dll.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228821 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsncimprov.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228820 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DfsfrsHost.exe.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228819 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfsdiag.exe.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228818 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dfscmd.exe.mui Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228817 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\csvde.dll.mui Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228816 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\adprep.dll.mui Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228815 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en\mtedit.resources.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228814 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dfsrro.sys Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228813 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dfs.sys Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228812 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\schupgrade.cat Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228811 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch87.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228810 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch86.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228809 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch85.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228808 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch84.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228807 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch83.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228806 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch82.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228805 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch81.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228804 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch80.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228803 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch79.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228802 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch78.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228801 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch77.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228800 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch76.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228799 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch75.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228798 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch74.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228797 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch73.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228796 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch72.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228795 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch71.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228794 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch70.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228793 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch69.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228792 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch68.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228791 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch67.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228790 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch66.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228789 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch65.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228788 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch64.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228787 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch63.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228786 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch62.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228785 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch61.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228784 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch60.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228783 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch59.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228782 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch58.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228781 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch57.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228780 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch56.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228779 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch55.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228778 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch54.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228777 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch53.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228776 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch52.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228775 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch51.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228774 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch50.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228773 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch49.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228772 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch48.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228771 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch47.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228770 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch46.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228769 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch45.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228768 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch44.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228767 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch43.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228766 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch42.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228765 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch41.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228764 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch40.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228763 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch39.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228762 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch38.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228761 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch37.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228760 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch36.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228759 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch35.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228758 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch34.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228757 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch33.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228756 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch32.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228755 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch31.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228754 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch30.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228753 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch29.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228752 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch28.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228751 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch27.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228750 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch26.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228749 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch25.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228748 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch24.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228747 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch23.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228746 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch22.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228745 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch21.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228744 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch20.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228743 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch19.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228742 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch18.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228741 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch17.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228740 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch16.ldf Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228739 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch15.ldf Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228738 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\sch14.ldf Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228737 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\pas.ldf Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228736 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\ffa5ee3c-1405-476d-b344-7ad37d69cc25.dcpromo.csv Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228735 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\dcpromo.csv Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228734 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\dca8f425-baae-47cd-b424-e3f6c76ed08b.dcpromo.csv Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228733 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\a662b036-dbbe-4166-b4ba-21abea17f9cc.dcpromo.csv Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228732 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\4444c516-f43a-4c12-9c4b-b5c064941d61.dcpromo.csv Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228731 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\134428a8-0043-48a6-bcda-63310d9ec4dd.dcpromo.csv Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228730 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep\00232167-f3a4-43c6-b503-9acb7a81b01c.dcpromo.csv Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228729 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ADDSDeployment_Internal\ADDSDeployment_Internal.psm1 Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228728 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ADDSDeployment_Internal\ADDSDeployment_Internal.psd1 Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228727 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TransformationRulesParser.exe Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228726 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\schema.ini Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228725 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SampleDCCloneConfig.xml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228724 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\replprov.mof Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228723 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\replprov.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228722 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\PwdSSP.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228721 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsutl.exe Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228720 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsres.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228719 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsrep.ini Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228718 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrsrep.h Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228717 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NTFRSPRF.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228716 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrscon.ini Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228715 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrscon.h Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228714 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntfrs.exe Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228713 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsperf.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228712 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsmsg.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228711 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdskcc.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228710 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsetup.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228709 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsbsrv.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228708 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsbmsg.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228707 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsatq.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228706 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsai.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228705 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdsa.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228704 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mtedit.exe Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228703 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lsadb.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228702 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ldifde.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228701 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KdsSvc.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228700 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kdcsvc.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228699 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kdcpw.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228698 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ismserv.exe Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228697 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ismip.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228696 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gptedit.msc Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228695 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPRSoP.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228694 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPOAdminCustom.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228693 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPOAdminCommon.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228692 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GPOAdmin.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228691 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpmgmt.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228690 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpme.msc Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228689 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpme.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228688 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpmc.msc Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228687 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsrolesrv.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228686 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dsamain.exe Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228685 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsutil.exe Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228684 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfssvc.exe Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228683 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrs.exe Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228682 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrress.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228681 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrPropagationReport.xsl Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228680 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrmig.exe Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228679 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DfsrHelper.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228678 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrHealthReport.xsl Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228677 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DfsRes.dll Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228676 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsrapi.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228675 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsncimprov.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228674 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfsfrsHost.exe Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228673 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DfsDiag.exe Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228672 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfscmd.exe Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228671 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DefaultDCCloneAllowList.XML Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228670 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DCCloneConfigSchema.xsd Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228669 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CustomDCCloneAllowListSchema.xsd Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228668 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\csvde.dll Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228667 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\adprep.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228666 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Rules\en-US\Rules.AD.xml Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228665 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Rules\Rules.AD.xml Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228664 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Reports\en-US\Report.AD.xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228663 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PLA\Reports\Report.AD.xml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228662 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\NTDS\0409\ntds.ini Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228661 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\NTDS\0000\ntds.ini Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228660 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\NTDS\ntdsctr.h Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228659 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DirectoryServices\0409\ntdsctrs.ini Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228658 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DirectoryServices\0000\ntdsctrs.ini Handle ID: 0xd20 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228657 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\DirectoryServices\ntdsctr.h Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228656 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\en-US\adwsres.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228655 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\en\Microsoft.ActiveDirectory.WebServices.shared.resources.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228654 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\en\Microsoft.ActiveDirectory.WebServices.resources.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228653 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.shared.dll Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228652 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228651 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ADWS\adwsres.dll Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228650 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\ActiveDirectoryDomainServices.Events.xml Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228649 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_event_viewer_views_serverroles_36b1368cd034c4a0.cdf-ms Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228648 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228647 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228646 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228645 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228644 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228643 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228642 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_adws_en_9ef683327778e99a.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228641 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_adws_en-us_b35e8e0c695e6d21.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228640 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_adws_40103581a18c1e95.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228639 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_directoryservices_0000_305e975d8b02b78e.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228638 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_directoryservices_0409_305ea87b8b029dc9.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228637 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_directoryservices_b618ab98d94f9ec8.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228636 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ntds_0000_b76570db4564f96c.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228635 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ntds_0409_b765704b4564fab9.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228634 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ntds_0ef7086abde34382.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228633 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228632 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_reports_en-us_04eb81229a78dfb4.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228631 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_reports_a2604845b2b380ca.cdf-ms Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228630 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_rules_en-us_8cd2a7c250e636a2.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228629 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_rules_0bde462ce96f215e.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228628 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_system_571618c4f89c6368.cdf-ms Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228627 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_addsdeployment_internal_6dd790b76065b9c7.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228626 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_adprep_103763c9308d2cf6.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228625 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228624 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en_9da4492827ac64e5.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228623 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228622 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migration_927a21df1acd7c18.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228621 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_adstatus_en-us_598d775e25df3776.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228620 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_adstatus_3d598f1a257714d4.cdf-ms Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228619 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_en-us_4555b1beb1c13883.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228618 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0xca8 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228617 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_addsdeployment_en-us_2a74edccc1769c65.cdf-ms Handle ID: 0xca4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228616 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_addsdeployment_7c6e6fd78a5229e5.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228615 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespace_76cc4c037f1ec6b8.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228614 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespaceaccess_fafeb1eac22b971e.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228613 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespacefolder_fa628b96c354deb2.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228612 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespacefoldertarget_93cbfec69ca8dba5.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228611 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespaceroottarget_73120b72a6f80f93.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228610 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_msft_dfsnamespaceserverconfig_91d2af3f6ce50f5d.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228609 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_dfsn_6a826925d13e6565.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228608 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_grouppolicy_en-us_97cae6696b4b501f.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228607 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_grouppolicy_b883802c54ca5457.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228606 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228605 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228604 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x7a4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228603 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_en-us_9e576ab077991fe8.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228602 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_grouppolicy_en-us_1786904f38608857.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228601 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_grouppolicy_f160218b6d329add.cdf-ms Handle ID: 0x7a4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228600 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228599 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0x7a4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228598 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228597 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0xcac Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228596 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x7a4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:29:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228940 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.psd1 Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228939 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\GroupPolicy\GroupPolicy.format.ps1xml Handle ID: 0xc9c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228938 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\en-US\propshts.dll.mui Handle ID: 0xdb4 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 11/09/2020 11:29:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228942 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DfsrRo\Instances\DfsrRo Handle ID: 0xd2c Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;FA;KA;;;WD) 11/09/2020 11:29:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228941 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DfsrRo\Instances Handle ID: 0xd38 Process Information: Process ID: 0xfdc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;FA;KA;;;WD) 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228953 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228952 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228951 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228950 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228949 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228948 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228947 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xAA435 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228946 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xAA435 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228945 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228944 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228943 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x844C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228968 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB876E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228967 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x8166B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228966 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81982 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228965 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB876E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228964 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB876E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228963 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228962 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228961 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB873C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228960 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB873C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228959 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB873C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228958 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228957 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228956 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xAA435 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228955 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x82EB7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228954 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x81B8B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228988 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xBA87F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228987 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xBA87F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228986 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228985 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228984 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xBA2BC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228983 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xBA2BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228982 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228981 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228980 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB8CAF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228979 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB8CAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228978 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228977 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228976 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB8ACD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228975 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB8ACD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228974 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228973 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228972 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB87BA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228971 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB87BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228970 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228969 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228993 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xCA319 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228992 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xCA319 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228991 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228990 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:29:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228989 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xBA87F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228994 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x2A4E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=228999 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xD3FFD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228998 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xD3FFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=228997 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=228996 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=228995 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xCA319 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229010 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Access Granted: Access Right: SeNetworkLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229009 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Access Granted: Access Right: SeInteractiveLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229008 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Print Operators Access Granted: Access Right: SeInteractiveLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229007 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Account Operators Access Granted: Access Right: SeInteractiveLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229006 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Users Access Removed: Access Right: SeNetworkLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229005 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Pre-Windows 2000 Compatible Access Access Granted: Access Right: SeNetworkLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229004 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: NT AUTHORITY\Authenticated Users Access Granted: Access Right: SeNetworkLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4717 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229003 Keywords=Audit Success Message=System security access was granted to an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Server Operators Access Granted: Access Right: SeInteractiveLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229002 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Backup Operators Access Removed: Access Right: SeNetworkLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229001 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Remote Desktop Users Access Removed: Access Right: SeRemoteInteractiveLogonRight 11/09/2020 11:30:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4718 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229000 Keywords=Audit Success Message=System security access was removed from an account. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Account Modified: Account Name: BUILTIN\Users Access Removed: Access Right: SeInteractiveLogonRight 11/09/2020 11:30:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229017 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\sysvol Handle ID: 0x430 Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICISA;SD;;;WD) 11/09/2020 11:30:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229016 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\sysvol\attackrange.local Handle ID: 0x710 Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;SD;;;WD) 11/09/2020 11:30:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229015 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain Handle ID: 0x430 Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 11/09/2020 11:30:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229014 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\scripts Handle ID: 0x430 Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 11/09/2020 11:30:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229013 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\Policies Handle ID: 0x430 Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 11/09/2020 11:30:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229012 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} Handle ID: 0x430 Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 11/09/2020 11:30:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229011 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} Handle ID: 0x430 Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SA;SD;;;WD) 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229047 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x111AC9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229046 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x111AC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229045 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229044 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229043 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x110749 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229042 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x110749 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229041 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229040 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229039 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11055F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229038 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11055F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229037 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229036 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229035 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1102FE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229034 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1102FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229033 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229032 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229031 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1102AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229030 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB8ACD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229029 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1102AC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229028 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1102AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229027 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229026 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229025 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11027C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229024 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11027C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229023 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11027C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229022 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229021 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229020 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xD3FFD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229019 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xBA2BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229018 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0xB8CAF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229051 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11273E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229050 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11273E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229049 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229048 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229091 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1182CA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229090 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1182CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229089 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229088 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229087 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1180DD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229086 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1180DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229085 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229084 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229083 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1180AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229082 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1180AD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229081 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1180AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229080 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229079 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229078 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1173CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229077 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1173CC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229076 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1173CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229075 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229074 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229073 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1171F6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229072 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1171F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229071 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229070 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229069 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F98 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229068 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229067 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229066 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229065 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F4F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229064 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11055F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229063 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F4F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229062 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229061 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229060 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229059 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F17 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229058 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F17 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229057 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x116F17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229056 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229055 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229054 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x11273E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229053 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x111AC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229052 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x110749 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Special Logon OpCode=Info RecordNumber=229096 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x119761 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229095 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x119761 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logon OpCode=Info RecordNumber=229094 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-259 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5dc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Credential Validation OpCode=Info RecordNumber=229093 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259 TaskCategory=Logoff OpCode=Info RecordNumber=229092 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-259 Logon ID: 0x1182CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:30:14 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=win-dc-259 TaskCategory=Service shutdown OpCode=Info RecordNumber=229097 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:30:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229100 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:30:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229099 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:30:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=229098 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:30:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229102 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:30:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229101 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:30:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229106 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:30:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229105 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:30:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229104 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:30:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229103 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:31:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229110 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=229109 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:31:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229108 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x368 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2d0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:31:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=229107 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x360 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2d0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:31:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=229111 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5749 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229206 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Protected Users Group Name: Protected Users Group Domain: ATTACKRANGE Attributes: SAM Account Name: Protected Users SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229205 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Cloneable Domain Controllers Group Name: Cloneable Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229204 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Cloneable Domain Controllers Group Name: Cloneable Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Cloneable Domain Controllers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229203 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229202 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Read-only Domain Controllers Account Name: CN=Read-only Domain Controllers,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229201 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Read-only Domain Controllers Group Name: Enterprise Read-only Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229200 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Read-only Domain Controllers Group Name: Enterprise Read-only Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Enterprise Read-only Domain Controllers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229199 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229198 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229197 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Read-only Domain Controllers Group Name: Read-only Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229196 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Read-only Domain Controllers Group Name: Read-only Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Read-only Domain Controllers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229195 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229194 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\krbtgt Account Name: CN=krbtgt,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229193 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229192 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Controllers Account Name: CN=Domain Controllers,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229191 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229190 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Cert Publishers Account Name: CN=Cert Publishers,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229189 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229188 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Admins Account Name: CN=Domain Admins,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229187 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229186 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Group Policy Creator Owners Account Name: CN=Group Policy Creator Owners,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229185 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229184 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Denied RODC Password Replication Group Group Name: Denied RODC Password Replication Group Group Domain: ATTACKRANGE Attributes: SAM Account Name: Denied RODC Password Replication Group SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229183 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Allowed RODC Password Replication Group Group Name: Allowed RODC Password Replication Group Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229182 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Allowed RODC Password Replication Group Group Name: Allowed RODC Password Replication Group Group Domain: ATTACKRANGE Attributes: SAM Account Name: Allowed RODC Password Replication Group SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229181 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229180 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229179 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229178 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Account Name: - Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229177 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229176 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: NT AUTHORITY\Authenticated Users Account Name: - Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229175 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229174 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229173 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Admins Group Name: Enterprise Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4756 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229172 Keywords=Audit Success Message=A member was added to a security-enabled universal group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Enterprise Admins Account Name: Enterprise Admins Account Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229171 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Schema Admins Group Name: Schema Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4756 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229170 Keywords=Audit Success Message=A member was added to a security-enabled universal group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Schema Admins Account Name: Schema Admins Account Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229169 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229168 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Administrator Account Name: CN=Administrator,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229167 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229166 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Guests Account Name: - Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229165 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229164 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Users Account Name: - Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229163 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229162 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Member: Security ID: ATTACKRANGE\Domain Admins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229161 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Terminal Server License Servers Group Name: Terminal Server License Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229160 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Terminal Server License Servers Group Name: Terminal Server License Servers Group Domain: Builtin Attributes: SAM Account Name: Terminal Server License Servers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229159 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229158 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Windows Authorization Access Group Group Name: Windows Authorization Access Group Group Domain: Builtin Attributes: SAM Account Name: Windows Authorization Access Group SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229157 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Incoming Forest Trust Builders Group Name: Incoming Forest Trust Builders Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229156 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Incoming Forest Trust Builders Group Name: Incoming Forest Trust Builders Group Domain: Builtin Attributes: SAM Account Name: Incoming Forest Trust Builders SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229155 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229154 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Pre-Windows 2000 Compatible Access Group Name: Pre-Windows 2000 Compatible Access Group Domain: Builtin Attributes: SAM Account Name: Pre-Windows 2000 Compatible Access SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229153 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Account Operators Group Name: Account Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229152 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Account Operators Group Name: Account Operators Group Domain: Builtin Attributes: SAM Account Name: Account Operators SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229151 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Server Operators Group Name: Server Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229150 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: BUILTIN\Server Operators Group Name: Server Operators Group Domain: Builtin Attributes: SAM Account Name: Server Operators SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229149 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\RAS and IAS Servers Group Name: RAS and IAS Servers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229148 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\RAS and IAS Servers Group Name: RAS and IAS Servers Group Domain: ATTACKRANGE Attributes: SAM Account Name: RAS and IAS Servers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229147 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229146 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Group Policy Creator Owners Group Name: Group Policy Creator Owners Group Domain: ATTACKRANGE Attributes: SAM Account Name: Group Policy Creator Owners SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229145 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Guests Group Name: Domain Guests Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229144 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Guests Group Name: Domain Guests Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Guests SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229143 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Users Group Name: Domain Users Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229142 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Users Group Name: Domain Users Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Users SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229141 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229140 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Admins SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229139 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Cert Publishers Group Name: Cert Publishers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229138 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Cert Publishers Group Name: Cert Publishers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Cert Publishers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229137 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Admins Group Name: Enterprise Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229136 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Admins Group Name: Enterprise Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Enterprise Admins SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229135 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Schema Admins Group Name: Schema Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229134 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Schema Admins Group Name: Schema Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Schema Admins SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229133 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Controllers Group Name: Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229132 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Controllers Group Name: Domain Controllers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Controllers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229131 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Computers Group Name: Domain Computers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229130 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Domain Computers Group Name: Domain Computers Group Domain: ATTACKRANGE Attributes: SAM Account Name: Domain Computers SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229129 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229128 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 11/9/2020 11:31:05 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229127 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x11 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4720 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229126 Keywords=Audit Success Message=A user account was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Attributes: SAM Account Name: krbtgt Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: SID History: - Logon Hours: Additional Information: Privileges - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229125 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 11/9/2020 11:31:05 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229124 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Trusted For Delegation' - Enabled User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4722 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229123 Keywords=Audit Success Message=A user account was enabled. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4741 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229122 Keywords=Audit Success Message=A computer account was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Computer Account: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Attributes: SAM Account Name: WIN-DC-259$ Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 516 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x105 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Server Trust Account' - Enabled User Parameters: SID History: - Logon Hours: DNS Host Name: - Service Principal Names: - Additional Information: Privileges - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229121 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229120 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229119 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229118 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229117 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229116 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229115 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229114 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229113 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229112 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=229232 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=229231 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=229230 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=229229 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229228 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x488 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229227 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x488 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=229226 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229225 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xABF1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229224 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xAC11 Linked Logon ID: 0xABF1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229223 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xABF1 Linked Logon ID: 0xAC11 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229222 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229221 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229220 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229219 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229218 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229217 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229216 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229215 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229214 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229213 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229212 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229211 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Key Admins Group Name: Enterprise Key Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229210 Keywords=Audit Success Message=A security-enabled universal group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Key Admins Group Name: Enterprise Key Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Enterprise Key Admins SID History: - Additional Information: Privileges: - 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229209 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Key Admins Group Name: Key Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229208 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 New Group: Security ID: ATTACKRANGE\Key Admins Group Name: Key Admins Group Domain: ATTACKRANGE Attributes: SAM Account Name: Key Admins SID History: - Additional Information: Privileges: - 11/09/2020 11:31:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229207 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Protected Users Group Name: Protected Users Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=229233 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229237 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229236 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229235 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229234 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229239 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x368 Process Name: C:\Windows\System32\lsass.exe 11/09/2020 11:31:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229238 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x368 Process Name: C:\Windows\System32\lsass.exe 11/09/2020 11:31:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229241 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229240 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229258 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229257 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229256 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229255 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229254 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229253 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229252 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229251 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229250 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2851F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229249 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229248 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229247 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229246 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229245 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229244 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229243 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229242 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229260 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229259 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229262 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229261 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229263 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 11/9/2020 11:31:34 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229277 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x301B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229276 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x301B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49692 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229275 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x301B9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4727 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229274 Keywords=Audit Success Message=A security-enabled global group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x300A5 New Group: Security ID: ATTACKRANGE\DnsUpdateProxy Group Name: DnsUpdateProxy Group Domain: ATTACKRANGE Attributes: SAM Account Name: DnsUpdateProxy SID History: - Additional Information: Privileges: - 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229273 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3012A Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-259.attackrange.local/attackrange.local ldap/win-dc-259.attackrange.local ldap/WIN-DC-259 ldap/win-dc-259.attackrange.local/ATTACKRANGE ldap/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local ldap/WIN-DC-259/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/d57997e9-2226-46f7-9af4-01c28c3b276c/attackrange.local HOST/win-dc-259.attackrange.local/attackrange.local HOST/win-dc-259.attackrange.local HOST/WIN-DC-259 HOST/win-dc-259.attackrange.local/ATTACKRANGE HOST/WIN-DC-259/ATTACKRANGE RPC/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-259 RestrictedKrbHost/win-dc-259.attackrange.local GC/win-dc-259.attackrange.local/attackrange.local DNS/win-dc-259.attackrange.local Additional Information: Privileges: - 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229271 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3012A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49691 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229270 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3012A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229269 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\DnsAdmins Group Name: DnsAdmins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4731 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229268 Keywords=Audit Success Message=A security-enabled local group was created. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 New Group: Security ID: ATTACKRANGE\DnsAdmins Group Name: DnsAdmins Group Domain: ATTACKRANGE Attributes: SAM Account Name: DnsAdmins SID History: - Additional Information: Privileges: - 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229267 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x300A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49689 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229266 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x300A5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229265 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {746A3F31-B7F5-BBBF-A9B9-50B9CAACAC0C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229264 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229385 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33E90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229384 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33E90 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229383 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33E18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229382 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33E18 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229381 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33DA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229380 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33DA0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229379 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33D28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229378 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33D28 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229377 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33CB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229376 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33CB0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229375 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33C38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229374 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33C38 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229373 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30330 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229372 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33955 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229371 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33955 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 50700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229370 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33955 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229369 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A6810C0-B0B9-AE74-80AF-FB89B140A233} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229368 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33821 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229367 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33873 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229366 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33873 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 50699 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229365 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33873 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229364 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A6810C0-B0B9-AE74-80AF-FB89B140A233} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229363 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33821 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 50698 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229362 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33821 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229361 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x336FA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229360 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x336FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 50697 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229359 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x336FA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229358 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33575 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229357 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x335D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229356 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x335D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 50695 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229355 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x335D4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229354 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33575 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 50694 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229353 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33575 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229352 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33442 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229351 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33442 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 50693 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33442 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229349 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x32332 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229348 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x32A3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229347 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x32A3F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229346 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x32332 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 52868 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229345 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x32332 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229344 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x322AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229343 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x322AB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229342 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x32269 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229341 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x32269 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 55439 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229340 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x32269 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229339 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x320F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229338 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x320F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229337 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\dfsrs.exe 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229336 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\dfsrs.exe 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229335 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31E7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229334 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31F47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229333 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31F47 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229332 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31E7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62235 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229331 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31E7E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229330 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31E0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229329 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31E0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229328 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31D15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229327 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31D15 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229326 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31C4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229325 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31C4F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229324 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x318AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229322 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31A62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229321 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31A62 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229320 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x318AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 55800 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229319 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x318AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229318 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x31746 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229317 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31746 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229316 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x313F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229315 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x313F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229314 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x312AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229313 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x312AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229312 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x311AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 65107 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229311 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x311AB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229310 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30DB6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229309 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30F30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30F30 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229307 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30E57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229306 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30E57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 65106 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229305 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30E57 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229304 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30DB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 65104 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30DB6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30D64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30D64 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229300 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3092E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3092E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229298 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A6810C0-B0B9-AE74-80AF-FB89B140A233} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229297 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30892 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49702 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229296 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30892 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229295 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A6810C0-B0B9-AE74-80AF-FB89B140A233} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229294 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30478 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49699 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229293 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30478 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229292 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30382 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49688 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229291 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30382 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229290 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30331 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49685 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30330 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49675 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229288 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A6810C0-B0B9-AE74-80AF-FB89B140A233} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229287 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30331 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229286 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x30329 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49686 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229285 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30330 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30329 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229283 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x302DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229282 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x302DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49695 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229281 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x302DD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229280 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3028A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229279 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3028A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49694 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229278 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3028A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229391 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3408E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229390 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3408E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:2448:33de:f5ff:fef1 Source Port: 58826 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229389 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3408E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229388 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3402C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229387 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3402C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 58825 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229386 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3402C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229393 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x34561 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:2448:33de:f5ff:fef1 Source Port: 58827 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229392 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x34561 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229438 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x37DFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F134DF22-2C03-D61A-E441-42DF72FD8CBF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229437 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x37DFF Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229436 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F2A6B541-8FC9-FD52-A97E-BD06EDA453BF} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229435 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F2A6B541-8FC9-FD52-A97E-BD06EDA453BF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229434 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229433 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36784 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229432 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x36784 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 58716 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229431 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36784 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229430 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x361C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229429 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x36228 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229428 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36228 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229427 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x361C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62354 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229426 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x361C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229424 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x36133 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229423 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36133 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229422 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x360B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229421 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x360B6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229420 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x36039 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229419 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36039 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229418 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x35F79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229417 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35F79 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229416 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35CE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229415 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35E0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229413 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x35E0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61125 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229412 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35E0C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229410 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x35D70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229409 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35D70 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229407 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x35CE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 58832 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229406 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35CE1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229405 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35AF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229404 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35C16 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229402 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x35C16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 58831 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229401 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35C16 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229398 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x35B3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F134DF22-2C03-D61A-E441-42DF72FD8CBF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 58830 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229397 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35B3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229396 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F2A6B541-8FC9-FD52-A97E-BD06EDA453BF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229395 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x35AF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 58828 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229394 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35AF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229450 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229449 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229448 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229447 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229446 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229445 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229444 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229443 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229442 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229441 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd68 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229440 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:31:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229439 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229456 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x39898 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-259.attackrange.local/attackrange.local ldap/win-dc-259.attackrange.local ldap/WIN-DC-259 ldap/win-dc-259.attackrange.local/ATTACKRANGE ldap/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local ldap/WIN-DC-259/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/d57997e9-2226-46f7-9af4-01c28c3b276c/attackrange.local HOST/win-dc-259.attackrange.local/attackrange.local HOST/win-dc-259.attackrange.local HOST/WIN-DC-259 HOST/win-dc-259.attackrange.local/ATTACKRANGE HOST/WIN-DC-259/ATTACKRANGE RPC/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-259 RestrictedKrbHost/win-dc-259.attackrange.local GC/win-dc-259.attackrange.local/attackrange.local DNS/win-dc-259.attackrange.local ldap/win-dc-259.attackrange.local/DomainDnsZones.attackrange.local ldap/win-dc-259.attackrange.local/ForestDnsZones.attackrange.local TERMSRV/win-dc-259.attackrange.local TERMSRV/WIN-DC-259 Additional Information: Privileges: - 11/09/2020 11:31:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=229454 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x39898 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-259.attackrange.local/attackrange.local ldap/win-dc-259.attackrange.local ldap/WIN-DC-259 ldap/win-dc-259.attackrange.local/ATTACKRANGE ldap/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local ldap/WIN-DC-259/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/d57997e9-2226-46f7-9af4-01c28c3b276c/attackrange.local HOST/win-dc-259.attackrange.local/attackrange.local HOST/win-dc-259.attackrange.local HOST/WIN-DC-259 HOST/win-dc-259.attackrange.local/ATTACKRANGE HOST/WIN-DC-259/ATTACKRANGE RPC/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-259 RestrictedKrbHost/win-dc-259.attackrange.local GC/win-dc-259.attackrange.local/attackrange.local DNS/win-dc-259.attackrange.local ldap/win-dc-259.attackrange.local/DomainDnsZones.attackrange.local ldap/win-dc-259.attackrange.local/ForestDnsZones.attackrange.local TERMSRV/win-dc-259.attackrange.local Additional Information: Privileges: - 11/09/2020 11:31:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229452 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x39898 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60417 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:31:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229451 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x39898 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:32:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229457 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x34561 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229465 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x425A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229464 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x425A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60421 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229463 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x425A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229462 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4256A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60420 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229461 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4256A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229460 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4251B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229459 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4251B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60418 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:32:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229458 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4251B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229509 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x45AC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229508 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x462BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229507 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x462E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229506 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x462E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C56EEC0B-2A2C-8BB3-BA50-A4497BB32C3C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229505 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x462E3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229504 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {092AB81E-B287-09A1-2420-7C2695271BC4} Target Server: Target Server Name: win-dc-259$ Additional Information: win-dc-259$ Process Information: Process ID: 0x2ec Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229503 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {092AB81E-B287-09A1-2420-7C2695271BC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229502 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229501 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x462BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:2448:33de:f5ff:fef1 Source Port: 60429 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229500 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x462BC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229499 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x460D2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229498 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x46227 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229497 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x46227 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C56EEC0B-2A2C-8BB3-BA50-A4497BB32C3C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229496 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x46227 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229495 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {092AB81E-B287-09A1-2420-7C2695271BC4} Target Server: Target Server Name: win-dc-259$ Additional Information: win-dc-259$ Process Information: Process ID: 0x2ec Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229494 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {092AB81E-B287-09A1-2420-7C2695271BC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229493 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x460D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:2448:33de:f5ff:fef1 Source Port: 60428 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229491 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x460D2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229490 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x45EDE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x45EDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60427 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229488 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x45EDE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229487 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x45D6A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229486 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x45D6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:2448:33de:f5ff:fef1 Source Port: 60426 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229485 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x45D6A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229484 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x45AC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60425 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229483 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x45AC9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229482 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4275C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4713 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229481 Keywords=Audit Success Message=Kerberos policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Changes Made: ('--' means no changes, otherwise each change is shown as: (Parameter Name): (new value) (old value)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9 (none); 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4739 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=229480 Keywords=Audit Success Message=Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Domain: Domain Name: ATTACKRANGE Domain ID: ATTACKRANGE\ Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: - Machine Account Quota: - Mixed Domain Mode: 7 Domain Behavior Version: 24 OEM Information: - Additional Information: Privileges: - 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229479 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x429E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229478 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x429E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C56EEC0B-2A2C-8BB3-BA50-A4497BB32C3C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229477 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x429E4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229476 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4285C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229475 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x428A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229474 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4290C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60424 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4290C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x428A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 2001:0:2851:782c:2448:33de:f5ff:fef1 Source Port: 60423 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229471 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x428A0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229470 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4285C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C56EEC0B-2A2C-8BB3-BA50-A4497BB32C3C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229469 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4285C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229468 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {092AB81E-B287-09A1-2420-7C2695271BC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229467 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4275C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60422 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229466 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4275C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:33:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229510 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4290C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229513 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x48E4D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:33:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x48E4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60430 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:33:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229511 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x48E4D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:34:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229514 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30382 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229515 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x39898 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229516 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3012A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229519 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x49383 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229518 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x49383 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60431 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:34:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229517 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x49383 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229546 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3092E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229545 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30D64 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229544 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30F30 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229543 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x312AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229542 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x313F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229541 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31746 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229540 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31A62 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229539 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31C4F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229538 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31D15 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229537 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31E0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229536 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x31F47 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229535 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x320F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229534 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x322AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229533 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x32A3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229532 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33C38 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229531 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33CB0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229530 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33D28 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229529 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33DA0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229528 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33E18 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229527 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x33E90 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229526 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35D70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229525 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x35F79 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229524 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36039 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229523 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x360B6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229522 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36133 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229521 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x36228 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:34:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229520 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x37DFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229564 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A258 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229563 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A258 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229562 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229561 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229560 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229559 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A0EE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229558 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A0EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229557 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229556 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229555 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=229554 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x488 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229553 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x49A1E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229552 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x49A1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229551 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229550 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {70592038-0C0C-054D-CA44-A6F5638722D6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229549 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=229548 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-afe7d474-c623-4bbd-a160-c4a182231e76 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:35:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=229547 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e9b61ed37810c0b430a5837f45d644_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229599 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B521 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229598 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C0F5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229597 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C0F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229596 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229595 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229594 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229593 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C0D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229592 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C0D9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229591 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C0D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229590 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229589 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229588 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229587 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B6D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229586 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B6D3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229585 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B6D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229584 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229583 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229582 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229581 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B521 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229580 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B521 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229579 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229578 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229577 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229576 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B2CF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229575 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B2CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229574 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229573 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229572 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229571 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B2A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229570 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B2A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229569 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B2A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229568 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229567 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D5BBFF32-239D-3D00-E92D-71703A3E7A21} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229566 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229565 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A258 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229621 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4D898 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229620 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4D898 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229619 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229618 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229617 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229616 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C589 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229615 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C589 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229614 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229613 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229612 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229611 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C37A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229610 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C37A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229609 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229608 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229607 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229606 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C12E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229605 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C12E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229604 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229603 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31B35F75-BEEB-A4BE-7540-869E7F22A38B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229602 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229601 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C0F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229600 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B2CF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229626 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DBFE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229625 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DBFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D3247330-AC7D-CBD3-5C00-C03DF43E739C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229624 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D3247330-AC7D-CBD3-5C00-C03DF43E739C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229623 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D3247330-AC7D-CBD3-5C00-C03DF43E739C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229622 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229628 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229627 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229655 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55F70 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229654 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55F70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229653 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229652 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229651 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229650 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55D24 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229649 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55D24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229648 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229647 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229646 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229645 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55CEB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229644 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C12E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229643 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C37A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229642 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55CEB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229641 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55CEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229640 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229639 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229638 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229637 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55CCF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229636 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55CCF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229635 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55CCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229634 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229633 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6FD7D6B1-3E7E-0198-3690-1D96486F1D7C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229632 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229631 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4DBFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229630 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4D898 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229629 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4C589 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229670 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x578CF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229669 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x578CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229668 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229667 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229666 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229665 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x575FC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229664 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x575FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229663 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229662 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229661 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229660 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x56377 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229659 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x56377 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229658 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229657 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E74067E6-73D2-0641-0B0E-4E5FBD404F5C} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229656 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229687 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57EFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229686 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55D24 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229685 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x55F70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229684 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57EFF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229683 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57EFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EBA84A39-BB64-4B19-80CF-4FE4EA25466F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229682 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EBA84A39-BB64-4B19-80CF-4FE4EA25466F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229681 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EBA84A39-BB64-4B19-80CF-4FE4EA25466F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229680 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229679 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57ED7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229678 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57ED7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229677 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57ED7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EBA84A39-BB64-4B19-80CF-4FE4EA25466F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229676 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EBA84A39-BB64-4B19-80CF-4FE4EA25466F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229675 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EBA84A39-BB64-4B19-80CF-4FE4EA25466F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229674 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229673 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x578CF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229672 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x575FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229671 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x56377 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229707 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x59815 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229706 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x59815 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229705 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229704 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229703 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229702 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58443 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229701 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58443 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229700 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229699 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229698 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229697 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58184 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229696 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58184 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229695 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229694 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229693 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229692 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57F38 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229691 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57F38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229690 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229689 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229688 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229712 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x59E7D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229711 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x59E7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229710 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229709 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {30C6DCD0-AB47-3806-7571-2AAA493F4186} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229708 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229729 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF3C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229728 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x57F38 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229727 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58184 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229726 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF3C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229725 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C789E73-17D6-C58C-B853-74D434C1EF8F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229724 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C789E73-17D6-C58C-B853-74D434C1EF8F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229723 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C789E73-17D6-C58C-B853-74D434C1EF8F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229722 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229721 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF20 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229720 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF20 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229719 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9C789E73-17D6-C58C-B853-74D434C1EF8F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229718 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9C789E73-17D6-C58C-B853-74D434C1EF8F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229717 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9C789E73-17D6-C58C-B853-74D434C1EF8F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229716 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229715 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x59E7D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229714 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x59815 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229713 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x58443 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229749 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C729 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229748 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C729 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229747 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229746 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229745 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229744 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B445 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229743 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B445 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229742 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229741 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229740 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229739 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B1BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229738 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B1BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229737 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229736 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229735 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229734 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF71 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229733 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5AF71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229732 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229731 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7688B213-E10E-4531-3C63-D69398F7FB7D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229730 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229754 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5CD94 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229753 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5CD94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A0E6B92C-5349-2BF4-691F-39820DDDF084} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229752 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A0E6B92C-5349-2BF4-691F-39820DDDF084} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229751 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A0E6B92C-5349-2BF4-691F-39820DDDF084} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229750 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229756 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229755 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229765 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6FA9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229764 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6FA9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60436 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229763 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6FA9F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229762 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6F74D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229761 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6F74D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {520D6E59-FFF9-5819-53DA-765FFEDDAA1A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229760 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {520D6E59-FFF9-5819-53DA-765FFEDDAA1A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229759 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {520D6E59-FFF9-5819-53DA-765FFEDDAA1A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229758 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229757 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5CD94 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229791 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70FB5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229790 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70FB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229789 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229788 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229787 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229786 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70CB9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229785 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70CB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229784 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229783 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229782 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229781 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70C1C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229780 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B1BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70C1C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229778 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70C1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229777 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229776 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229775 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229774 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70BF6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229773 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70BF6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229772 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70BF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229771 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229770 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC193987-FF60-3AA7-94CF-CC37071A5598} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229769 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229768 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x6F74D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229767 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5C729 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229766 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x5B445 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229806 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x73214 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229805 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x73214 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229804 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229803 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229802 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229801 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7252B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229800 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7252B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229799 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229798 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229797 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229796 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x71251 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229795 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x71251 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229794 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229793 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B607084C-2D83-7441-ECA8-10BE9D642B0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229792 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229823 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x765D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229822 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70CB9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229821 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70FB5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229820 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x765D0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229819 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x765D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FED4DEB1-5F2A-C042-AA17-E314E5A1A8C0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229818 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FED4DEB1-5F2A-C042-AA17-E314E5A1A8C0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229817 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FED4DEB1-5F2A-C042-AA17-E314E5A1A8C0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229816 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229815 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x765B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229814 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x765B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229813 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x765B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FED4DEB1-5F2A-C042-AA17-E314E5A1A8C0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229812 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FED4DEB1-5F2A-C042-AA17-E314E5A1A8C0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229811 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FED4DEB1-5F2A-C042-AA17-E314E5A1A8C0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229810 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229809 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x73214 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229808 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7252B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229807 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x71251 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229843 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7824E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229842 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7824E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229841 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229840 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229839 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229838 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x76C2E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229837 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x76C2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229836 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229835 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229834 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229833 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x769E0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229832 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x769E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229831 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229830 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229829 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229828 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x76794 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229827 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x76794 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229826 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229825 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {392D3B26-9682-929C-E01D-B11F08D2F989} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229824 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229880 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A63E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229879 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A63E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229878 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229877 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229876 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229875 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78F29 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229874 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78F29 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229873 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78F29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229872 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229871 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229870 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229869 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78D13 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229868 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78D13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229867 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229866 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229865 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229864 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78AB1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229863 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78AB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229862 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229861 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229860 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229859 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x788CD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229858 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x76794 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229857 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x769E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229856 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x788CD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229855 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x788CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229854 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229853 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229852 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229851 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x788A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229850 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x788A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229849 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x788A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229848 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229847 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B2B76CD1-A6C0-400B-023F-399F1254B444} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229846 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229845 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7824E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229844 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x76C2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229891 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A99C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229890 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A99C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5775B0F8-DAAF-14C9-0940-6034F3C9395E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229889 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5775B0F8-DAAF-14C9-0940-6034F3C9395E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229888 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5775B0F8-DAAF-14C9-0940-6034F3C9395E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229887 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229886 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A7AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229885 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A7AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5775B0F8-DAAF-14C9-0940-6034F3C9395E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229884 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5775B0F8-DAAF-14C9-0940-6034F3C9395E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229883 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5775B0F8-DAAF-14C9-0940-6034F3C9395E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229882 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229881 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A63E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229901 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C5AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229900 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C5AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {530DB89C-5A53-A38A-1F4D-18443DC54C02} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229899 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {530DB89C-5A53-A38A-1F4D-18443DC54C02} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229898 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {530DB89C-5A53-A38A-1F4D-18443DC54C02} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229897 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229896 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C128 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229895 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C128 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {530DB89C-5A53-A38A-1F4D-18443DC54C02} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229894 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {530DB89C-5A53-A38A-1F4D-18443DC54C02} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229893 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {530DB89C-5A53-A38A-1F4D-18443DC54C02} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229892 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229932 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FAA4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229931 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FAA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229930 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229929 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229928 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229927 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F5DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229926 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7EF49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229925 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F5DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229924 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F5DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229923 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229922 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229921 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229920 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7EF49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229919 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7EF49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229918 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229917 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229916 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229915 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ED2C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229914 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ED2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229913 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229912 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229911 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229910 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ED10 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229909 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ED10 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229908 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ED10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229907 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229906 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8A71F249-46BD-7AC9-10BE-536C449D1238} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229905 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229904 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C5AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229903 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7C128 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A99C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229966 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x816A4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229965 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x816A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229964 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229963 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229962 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229961 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8148F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229960 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8148F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229959 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229958 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229957 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229956 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81473 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229955 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81473 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229954 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81473 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229953 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229952 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229951 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229950 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81010 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229949 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8015D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229948 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81010 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229947 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x81010 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229946 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229945 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229944 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229943 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8015D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229942 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8015D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229941 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229940 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229939 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229938 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FAC0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229937 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FAC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229936 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229935 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {382B01DD-754C-AC27-EAB7-E6754ED7B00E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229934 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229933 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FAA4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230005 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x845A8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230004 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x845A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230003 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230002 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230001 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230000 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8307E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229999 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8307E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229998 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229997 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229996 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229995 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82DED Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229994 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82DED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229993 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229992 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229991 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229990 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82BA1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229989 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82BA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229988 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229987 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229986 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229985 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82B6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229984 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78AB1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229983 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7A7AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229982 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7ED2C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229981 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x78D13 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229980 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8148F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229979 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7FAC0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229978 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82B6C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229977 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82B6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229976 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229975 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229974 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229973 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82B50 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229972 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82B50 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229971 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82B50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229970 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=229969 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6829A493-97C8-6B74-DCB1-49C99A82A638} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=229968 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229967 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x816A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230036 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84FE1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230035 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84FE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230034 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230033 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230032 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230031 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84E28 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230030 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84E28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230029 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230028 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230027 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230026 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84BDC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230025 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84BDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230024 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230023 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230022 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230021 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84BA3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230020 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82BA1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230019 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x82DED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230018 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84BA3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230017 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84BA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230016 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230015 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230014 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230013 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84B87 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230012 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84B87 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230011 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84B87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230010 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230009 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A74969EF-D57F-ABEB-FD10-DFD9291A07E2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230008 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230007 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x845A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230006 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8307E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230058 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87C94 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230057 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87C94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230056 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230055 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230054 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230053 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x869E7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230052 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x869E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230051 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230050 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230049 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230048 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86765 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230047 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86765 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230046 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230045 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230044 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230043 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86749 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230042 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86749 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230041 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86749 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230040 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230039 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4AEEE4F3-8302-4E0B-ACB4-63AA0369B0C7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230038 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:35:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230037 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84FE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230100 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x897B8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230099 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x897B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230098 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230097 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230096 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230095 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8979C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230094 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8979C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230093 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8979C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230092 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230091 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230090 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230089 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x892B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230088 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88C5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230087 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x892B2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230086 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x892B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230085 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230084 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230083 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230082 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88C5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230081 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88C5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230080 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230079 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230078 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230077 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88A2B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230076 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88A2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230075 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230074 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230073 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230072 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88A0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230071 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88A0F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230070 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88A0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230069 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230068 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230067 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230066 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x884D2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230065 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x87C94 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230064 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x869E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230063 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x884D2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230062 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x884D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230061 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230060 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA571A3-62A2-EC8A-A0BE-D2FA637529F6} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230059 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230128 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B409 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230127 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B409 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230126 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230125 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230124 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230123 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B184 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230122 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B184 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230121 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230120 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230119 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230118 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B168 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230117 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B168 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230116 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B168 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230115 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230114 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230113 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230112 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8AD99 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230111 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89A63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230110 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8AD99 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230109 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8AD99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230108 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230107 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230106 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230105 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89A63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230104 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x89A63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230103 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230102 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {759F04C3-6FB8-7D0E-5F0F-7E4B700740A5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230101 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230162 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CD00 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230161 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CD00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230160 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230159 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230158 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230157 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CAEB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230156 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CAEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230155 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230154 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230153 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230152 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C89B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230151 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C89B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230150 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230149 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230148 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230147 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C866 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230146 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84BDC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230145 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x88A2B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230144 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x84E28 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230143 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x897B8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230142 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B184 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230141 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x86765 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230140 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C866 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230139 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C866 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230138 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230137 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230136 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230135 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C84A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230134 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C84A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230133 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C84A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230132 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230131 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D327EE8A-870D-70CA-166E-9C98E28DF793} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230130 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230129 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8B409 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230183 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E88F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230182 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8C89B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230181 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CAEB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230180 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E88F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230179 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E88F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230178 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230177 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230176 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230175 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E873 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230174 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E873 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230173 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E873 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230172 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230171 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230170 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230169 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E2A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230168 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8CD00 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230167 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E2A5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230166 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E2A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230165 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230164 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {449AD593-7B8D-E1D7-5CCD-953CAADBC10A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230163 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230210 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x904C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230209 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x904C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230208 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230207 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230206 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230205 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x902DA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230204 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ED29 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230203 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x902DA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230202 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x902DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230201 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230200 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230199 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230198 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ED29 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230197 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8ED29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230196 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230195 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230194 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230193 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8EB16 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230192 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8EB16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230191 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230190 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230189 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230188 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E8CA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230187 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E8CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230186 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230185 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230184 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92E45 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92E45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230259 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230258 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230257 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230256 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92BC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230255 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92BC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230254 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230253 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230252 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230251 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92BA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230250 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92BA9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230249 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92BA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230248 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230247 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230246 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230245 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x928AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230244 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x924D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230243 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x928AB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230242 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x928AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230241 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230240 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230239 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230238 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x924D6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230237 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x924D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230236 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230235 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230234 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230233 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x91E1A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230232 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x91E1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230231 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230230 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230229 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230228 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x91DFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230227 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x91DFE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230226 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x91DFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230225 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230224 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230223 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230222 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x906EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230221 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x906EF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230220 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x906EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230219 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230218 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAC34EA4-892A-9638-B525-9D1129EFDDF1} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230217 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230216 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x904E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230215 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x904E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230214 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230213 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C0891DC7-1DF1-2112-18CA-70FEB5C56E04} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230212 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230211 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x904C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x947AD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230283 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x947AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230282 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230281 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230280 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230279 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x945A0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230278 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x945A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230277 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230276 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230275 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230274 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9457C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230273 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9457C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230272 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9457C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230271 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230270 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230269 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230268 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9410A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230267 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92E45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230266 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9410A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230265 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9410A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230264 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230263 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD1A4799-3E68-9137-6607-11265CD1915B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230262 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230323 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97445 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230322 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97445 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230321 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230320 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230319 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230318 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96864 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230317 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96864 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230316 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230315 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230314 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230313 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95F0E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230312 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95F0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230311 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230310 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230309 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95CC2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95CC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230306 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230305 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230304 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230303 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95C8D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230302 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8E8CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230301 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x945A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230300 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x91E1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230299 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x8EB16 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230298 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x92BC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230297 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x904E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230296 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95C8D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230295 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95C8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230294 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230293 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230292 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230291 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95C53 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95C53 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95C53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230288 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230287 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4ADF0E97-FD7E-1727-6369-E4C2530D502B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230286 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230285 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x947AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230360 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x98629 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230359 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x98629 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230358 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230357 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230356 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230355 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97F68 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230354 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97F68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230353 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230352 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230351 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97D1C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97D1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230348 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230347 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230346 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230345 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97CE7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230344 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95CC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230343 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x95F0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230342 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97CE7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230341 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97CE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230340 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230339 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230338 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230337 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97CCB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230336 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97CCB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230335 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97CCB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230334 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230333 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230332 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230331 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97C75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230330 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97445 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230329 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x96864 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230328 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97C75 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230327 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97C75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230326 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230325 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {93C76798-1763-6BD3-56C6-1783498EF755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230324 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230383 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x99B23 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230382 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x99B23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230381 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230380 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230379 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230378 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9992B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230377 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9992B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230376 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230375 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230374 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230373 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9990F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230372 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9990F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230371 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9990F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230370 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230369 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230368 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230367 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x99608 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230366 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x98629 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230365 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x99608 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230364 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x99608 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230363 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230362 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1FF1872F-3A5F-DA19-0B7B-7C86FBE03762} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230361 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230428 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D6F3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230427 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D6F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230426 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230425 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230424 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230423 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C7A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230422 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C7A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230421 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230420 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230419 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230418 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BFEA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230417 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BFEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230416 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230415 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230414 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230413 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BFCE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230412 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BFCE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230411 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BFCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230410 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230409 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230408 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230407 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BD18 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230406 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B46D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230405 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BD18 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230404 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BD18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230403 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230402 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230401 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230400 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B46D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230399 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B46D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230398 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230397 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230396 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230395 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B247 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230394 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B247 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230393 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230392 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230391 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230390 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B22B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230389 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B22B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230388 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B22B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230387 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230386 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2D2AADD7-EB30-4B78-5B82-9494C871E691} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230385 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230384 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x99B23 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230465 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F06B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230464 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97D1C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230463 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x97F68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230462 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230461 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9BFEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230460 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9B247 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230459 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9992B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230458 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F06B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230457 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F06B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230456 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230455 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230454 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230453 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F04F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230452 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F04F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230451 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F04F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230450 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230449 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230448 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230447 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DBE4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230446 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DBE4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230445 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9DBE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230444 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230443 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230442 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230441 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9B2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230439 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230438 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230437 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230436 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D996 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230435 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D996 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230434 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D996 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230433 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230432 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7649CD24-A8D3-1562-D80B-9998581CCA2E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230431 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230430 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D6F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230429 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9C7A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230498 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1095 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230497 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1095 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230496 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230495 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230494 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230493 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA102C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230492 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA099B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230491 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F729 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230490 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA102C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA102C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230488 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230487 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230486 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230485 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA099B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230484 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA099B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230483 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230482 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230481 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230480 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F729 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230479 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F729 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230478 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230477 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230476 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230475 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F2F4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230474 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F2F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230473 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230472 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230471 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230470 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F0A4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230469 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F0A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230468 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230467 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CDB6EBB6-1DEC-AEAD-B7E2-7D7C201CD982} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230466 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230527 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2883 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230526 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2883 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230525 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230524 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230523 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230522 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA153B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230521 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA153B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230520 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230519 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230518 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230517 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1350 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230516 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1350 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230515 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230514 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230513 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230512 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1104 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230511 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1104 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230510 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230509 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230508 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230507 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA10B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230506 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F0A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230505 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9F2F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230504 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA10B1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230503 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA10B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230502 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230501 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {EAD873B6-9CDC-7C5D-AFDC-48A72554F9B2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230500 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230499 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1095 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230585 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA55CA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230584 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA55CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230583 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230582 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230581 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230580 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA53BF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230579 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA53BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230578 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230577 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230576 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230575 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA53A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230574 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA53A3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230573 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA53A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230572 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230571 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230570 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230569 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4E2A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230568 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4848 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230567 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4E2A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230566 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4E2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230565 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230564 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230563 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230562 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4848 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230561 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4848 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230560 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230559 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230558 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230557 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4636 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230556 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4636 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230555 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230554 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230553 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230552 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA461A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230551 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA461A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230550 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA461A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230549 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230548 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230547 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230546 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA33A2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230545 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA33A2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230544 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA33A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230543 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230542 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230541 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230540 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2CF8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230539 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2CF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230538 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230537 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230536 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230535 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2CDC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230534 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2CDC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230533 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2CDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230532 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230531 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3D6FBD07-0FBC-C4D7-607D-8B04C92A3077} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230530 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230529 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2883 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230528 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA153B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230608 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6FFB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230607 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6FFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230606 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230605 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230604 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230603 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6DE9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230602 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6DE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230601 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230600 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230599 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230598 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6DCD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230597 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6DCD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230596 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6DCD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230595 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230594 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230593 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230592 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA691D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230591 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA55CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230590 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA691D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230589 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA691D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230588 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230587 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6B0AC68C-E120-FF2A-9E23-FDCE406EE959} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230586 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230647 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA9CE9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230646 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA9CE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230645 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230644 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230643 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230642 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8FD9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230641 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8FD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230640 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230639 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230638 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230637 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA874D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230636 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA874D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230635 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230634 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230633 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8501 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230631 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8501 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230630 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230629 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230628 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230627 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA84CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230626 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1104 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230625 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA1350 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230624 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA2CF8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230623 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6DE9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230622 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA53BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230621 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA4636 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230620 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA84CC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230619 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA84CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230618 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230617 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230616 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230615 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8496 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230614 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8496 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230613 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8496 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230612 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230611 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {325F74BE-1194-C74D-5BF4-4F68BEE7B797} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230610 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230609 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA6FFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230684 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAAF46 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230683 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAAF46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230682 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230681 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230680 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230679 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA7A9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230678 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA7A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230677 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230676 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230675 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230674 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA55D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230673 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA55D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230672 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230671 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230670 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230669 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA528 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230668 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8501 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230667 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA874D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230666 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA528 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230665 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA528 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230664 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230663 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230662 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230661 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA50C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230660 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA50C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230659 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA50C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230658 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230657 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230656 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230655 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA4B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230654 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA9CE9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230653 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xA8FD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230652 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA4B2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230651 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA4B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230650 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230649 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2C85B85F-EDD8-04D2-1905-FDEA7DB71106} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230648 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230707 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC357 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230706 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC357 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230705 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230704 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230703 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230702 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC177 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230701 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC177 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230700 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230699 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230698 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230697 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC15B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230696 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC15B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230695 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC15B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230694 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230693 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230692 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230691 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xABEC4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230690 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAAF46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230689 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xABEC4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230688 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xABEC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230687 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230686 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86051303-143F-2461-986C-6D33D6AFED13} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230685 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230752 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAFD70 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230751 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAFD70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230750 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230749 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230748 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230747 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAF0C8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230746 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAF0C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230745 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230744 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230743 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230742 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE838 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230741 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE838 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230740 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230739 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230738 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230737 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE81C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230736 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE81C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230735 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE81C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230734 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230733 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230732 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230731 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE539 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230730 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE0E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230729 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE539 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230728 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE539 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230727 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230726 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230725 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230724 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE0E3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230723 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE0E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230722 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230721 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230720 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230719 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADAA9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230718 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADAA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230717 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230716 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230715 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230714 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADA75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230713 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADA75 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230712 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADA75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230711 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230710 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0191A975-A207-C33A-45DE-D413324EF2FC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230709 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230708 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC357 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230789 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230788 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA55D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230787 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAE838 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230786 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB0203 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230785 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAA7A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230784 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xADAA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230783 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAC177 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230782 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230781 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230780 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230779 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230778 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230773 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230772 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230771 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB040D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230770 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB040D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230769 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB040D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230768 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230767 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230766 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230765 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB0203 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230764 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB0203 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230763 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230762 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230761 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230760 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB01E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230759 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB01E7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230758 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB01E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230757 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230756 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9580C76A-3CCF-22AC-391F-B12200CAFE37} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230755 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230754 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAFD70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230753 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xAF0C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230809 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB30B2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230808 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB30B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230807 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230806 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230805 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230804 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB256A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230803 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB256A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230802 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230801 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230800 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230799 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1B6D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230798 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1B6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230797 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230796 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230795 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230794 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18FE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230793 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230792 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230791 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1D2D6723-AFC1-5169-7759-F690762C0120} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230790 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230814 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB38CA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230813 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB38CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9674C8B5-9B72-CB8B-817A-54207645B6CE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230812 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9674C8B5-9B72-CB8B-817A-54207645B6CE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230811 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9674C8B5-9B72-CB8B-817A-54207645B6CE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230810 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230846 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB59C0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230845 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB59C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230844 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230843 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230842 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230841 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4F85 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230840 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4F85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230839 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230838 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230837 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230836 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4D39 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230835 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4D39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230834 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230833 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230832 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230831 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4D04 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230830 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB18FE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230829 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB1B6D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230828 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4D04 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230827 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4D04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230826 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230825 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230824 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230823 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4CCA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230822 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4CCA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230821 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4CCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230820 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230819 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD0BE39D-B981-2FA3-3886-7C39B4E9468D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230818 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230817 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB38CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230816 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB30B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230815 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB256A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230856 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB6CFC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230855 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB6CFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD818D57-CE4A-28DD-AAC3-1110476472E5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230854 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD818D57-CE4A-28DD-AAC3-1110476472E5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230853 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD818D57-CE4A-28DD-AAC3-1110476472E5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230852 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230851 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB658A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230850 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB658A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FD818D57-CE4A-28DD-AAC3-1110476472E5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230849 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FD818D57-CE4A-28DD-AAC3-1110476472E5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230848 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FD818D57-CE4A-28DD-AAC3-1110476472E5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230847 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230878 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8D21 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230877 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8D21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230876 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230875 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230874 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230873 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8CEC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230872 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4D39 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230871 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB4F85 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230870 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8CEC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230869 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8CEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230868 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230867 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230866 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230865 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8CD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230864 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8CD0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230863 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8CD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230862 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230861 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {47302E5A-1699-0694-A419-135AAFDADB31} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230860 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230859 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB6CFC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230858 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB658A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230857 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB59C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230898 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAC4D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230897 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAC4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230896 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230895 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230894 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230893 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBA828 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230892 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBA828 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230891 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230890 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230889 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230888 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9242 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230887 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9242 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230886 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230885 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230884 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230883 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9029 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230882 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9029 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230881 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230880 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BC4288A3-394B-4870-47FD-D5CA2C41D5F7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230879 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230957 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD675 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230956 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD675 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230955 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230954 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230953 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230952 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD39D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230951 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD39D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230950 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230949 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230948 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230947 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD381 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230946 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD381 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230945 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD381 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230944 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230943 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230942 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230941 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD0AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230940 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC813 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230939 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD0AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230938 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD0AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230937 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230936 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230935 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230934 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC813 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230933 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC813 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230932 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230931 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230930 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230929 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC607 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230928 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC607 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230927 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230926 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230925 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230924 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC5EB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC5EB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230922 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC5EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230921 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230920 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230919 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230918 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAF0A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230917 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAF0A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230916 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAF0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230915 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230914 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230913 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230912 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBACCF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230911 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBACCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230910 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230909 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230908 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230907 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBACB3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230906 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBACB3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230905 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBACB3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230904 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230903 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFEC5DA5-31D2-DEEB-E456-0DCC4F971C5F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230902 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230901 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBAC4D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230900 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBA828 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230899 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9242 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230980 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEF72 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230979 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEF72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230978 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230977 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230976 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230975 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBED65 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230974 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBED65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230973 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230972 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230971 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230970 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBED49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230969 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBED49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230968 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBED49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230967 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230966 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230965 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230964 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBE8D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230963 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD675 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230962 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBE8D6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230961 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBE8D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230960 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230959 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B4436F31-6D2B-E6F1-0929-6A5DEA8268C4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230958 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231019 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC1C0F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231018 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC1C0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231017 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231016 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231015 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231014 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC08D3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231013 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC08D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231012 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231011 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231010 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231009 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC06BF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231008 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC06BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231007 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231006 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231005 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231004 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0473 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231003 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0473 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231002 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231001 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231000 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230999 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0420 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230998 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB8D21 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230997 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBED65 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230996 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBACCF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230995 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBD39D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230994 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBC607 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230993 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xB9029 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230992 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0420 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230991 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0420 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230990 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230989 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230988 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230987 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0404 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230986 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0404 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230985 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0404 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230984 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=230983 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF5C4A4E-D78B-7068-1C13-7A119BF1EA0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=230982 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230981 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xBEF72 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231024 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC2C69 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231023 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC2C69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7B5B8790-2FA2-6E50-29A1-9C52E3A83E7F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231022 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7B5B8790-2FA2-6E50-29A1-9C52E3A83E7F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231021 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7B5B8790-2FA2-6E50-29A1-9C52E3A83E7F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231020 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231039 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC06BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231038 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC598F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231037 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC598F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD657323-1D27-B272-E1EC-AD3AE6F21A78} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231036 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD657323-1D27-B272-E1EC-AD3AE6F21A78} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231035 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD657323-1D27-B272-E1EC-AD3AE6F21A78} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231034 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231033 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5973 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231032 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5973 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231031 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5973 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD657323-1D27-B272-E1EC-AD3AE6F21A78} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231030 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD657323-1D27-B272-E1EC-AD3AE6F21A78} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231029 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD657323-1D27-B272-E1EC-AD3AE6F21A78} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231028 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231027 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC2C69 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231026 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC1C0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231025 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC08D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231061 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC7176 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231060 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC7176 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231059 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231058 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231057 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231056 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5E03 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231055 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5E03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231054 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231053 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231052 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231051 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5C11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231050 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5C11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231049 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231048 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231047 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231046 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC59C5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231045 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC59C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231044 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231043 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {3ECECFE8-9F4C-262C-4B10-F8462506271E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231042 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231041 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC598F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231040 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC0473 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231066 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC7928 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231065 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC7928 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {60475406-47B0-FE50-542C-4E536797FA90} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231064 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {60475406-47B0-FE50-542C-4E536797FA90} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231063 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {60475406-47B0-FE50-542C-4E536797FA90} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231062 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231136 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0ED8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231135 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0ED8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231134 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231133 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231132 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231131 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0CEA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231130 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0CEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231129 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231128 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231127 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231126 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0CCE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231125 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0CCE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231124 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0CCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231123 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231122 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231121 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231120 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCF36E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231119 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFD7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231118 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCFD7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60448 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231117 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFD7F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231116 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFD0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231115 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCFD0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60447 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231114 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFD0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231113 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFB7D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231111 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCFB7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60446 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231110 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFB7D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231109 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFAFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231107 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCFAFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60445 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231106 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCFAFB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=231105 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x30478 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: ldap/win-dc-259.attackrange.local/attackrange.local ldap/win-dc-259.attackrange.local ldap/WIN-DC-259 ldap/win-dc-259.attackrange.local/ATTACKRANGE ldap/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local ldap/WIN-DC-259/ATTACKRANGE E3514235-4B06-11D1-AB04-00C04FC2DCD2/d57997e9-2226-46f7-9af4-01c28c3b276c/attackrange.local HOST/win-dc-259.attackrange.local/attackrange.local HOST/win-dc-259.attackrange.local HOST/WIN-DC-259 HOST/win-dc-259.attackrange.local/ATTACKRANGE HOST/WIN-DC-259/ATTACKRANGE RPC/d57997e9-2226-46f7-9af4-01c28c3b276c._msdcs.attackrange.local RestrictedKrbHost/WIN-DC-259 RestrictedKrbHost/win-dc-259.attackrange.local GC/win-dc-259.attackrange.local/attackrange.local DNS/win-dc-259.attackrange.local ldap/win-dc-259.attackrange.local/DomainDnsZones.attackrange.local ldap/win-dc-259.attackrange.local/ForestDnsZones.attackrange.local TERMSRV/win-dc-259.attackrange.local TERMSRV/WIN-DC-259 Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/win-dc-259.attackrange.local Additional Information: Privileges: - 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231103 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCF9B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49699 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231102 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCF9B7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231101 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCF36E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231100 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCF36E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231099 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231098 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231097 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231096 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCF0C8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231095 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCF0C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231094 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231093 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231092 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231091 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCED51 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231090 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCED51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231089 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231088 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231087 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231086 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCED2F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231085 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCED2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 60443 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231084 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xCED2F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231083 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCECD1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231082 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC59C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231081 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5C11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231080 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCECD1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231079 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCECD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231078 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231077 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231076 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231075 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCECAD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231074 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCECAD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231073 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCECAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231072 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231071 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4B30A3D8-868D-A46F-738B-96837C683AF8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231070 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231069 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC7928 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231068 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC7176 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231067 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xC5E03 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231142 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xD272A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231141 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xD272A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60450 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231140 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xD272A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231139 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xD26A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231138 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xD26A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60449 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231137 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xD26A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231154 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xD309E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E83075BA-35C1-EF87-BEAC-24364634FFBC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60452 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231153 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xD309E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231152 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2EB5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231151 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2EB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF63D66D-8AD3-9EDE-DD78-5227E26B76D7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231150 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FF63D66D-8AD3-9EDE-DD78-5227E26B76D7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231149 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FF63D66D-8AD3-9EDE-DD78-5227E26B76D7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231148 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231147 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD28C4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231146 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD28C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF63D66D-8AD3-9EDE-DD78-5227E26B76D7} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231145 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FF63D66D-8AD3-9EDE-DD78-5227E26B76D7} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231144 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FF63D66D-8AD3-9EDE-DD78-5227E26B76D7} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231143 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231201 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD5D08 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231200 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD5D08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231199 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231198 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231197 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231196 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD483F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231195 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD483F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231194 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231193 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231192 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231191 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD462F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231190 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD462F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231189 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231188 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231187 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231186 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4613 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231185 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4613 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231184 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD4613 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231183 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231182 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231181 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231180 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD410E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231179 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3ABA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231178 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD410E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231177 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD410E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231176 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231175 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231174 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231173 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3ABA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231172 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3ABA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231171 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231170 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231169 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231168 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3884 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231167 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3884 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231166 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231165 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231164 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231163 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3868 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231162 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3868 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231161 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3868 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231160 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231159 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {98602D47-BD0B-883B-AF4A-550178D49CEE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231158 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231157 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD2EB5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231156 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD28C4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231155 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0ED8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231243 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7972 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231242 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7972 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231241 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231240 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231239 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231238 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7922 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231237 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCED51 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231236 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD0CEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231235 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xCF0C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231234 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD3884 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231233 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD612C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231232 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD462F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231231 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7922 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231230 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7922 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231229 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231228 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231227 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231226 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7906 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231225 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7906 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231224 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7906 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231223 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231222 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231221 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231220 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6449 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231219 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6449 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231218 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6449 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231217 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231216 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231215 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231214 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD612C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231213 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD612C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231212 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231211 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231210 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231209 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6110 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231208 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6110 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231207 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD6110 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231206 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231205 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BF185B26-6FA9-F67A-32C6-24A160B24B95} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231204 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231203 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD5D08 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231202 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD483F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231265 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDA433 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231264 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDA433 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231263 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231262 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231261 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xD9D23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF7155AB-E894-2C48-1465-BFD32C5603D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 60454 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231259 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xD9D23 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231258 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD935D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231257 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD935D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231256 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231255 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231254 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231253 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E15 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231252 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231251 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231250 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231249 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231248 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7BBE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231247 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7BBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231246 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231245 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C48AF342-313D-E033-E117-05443723173A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231244 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231282 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE094 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231281 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7972 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231280 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7BBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231279 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE094 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231278 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE094 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9936B95E-0D94-F9E5-E478-CC00A853580F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231277 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9936B95E-0D94-F9E5-E478-CC00A853580F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231276 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9936B95E-0D94-F9E5-E478-CC00A853580F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231275 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231274 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE020 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231273 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE020 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231272 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE020 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9936B95E-0D94-F9E5-E478-CC00A853580F} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231271 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {9936B95E-0D94-F9E5-E478-CC00A853580F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231270 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9936B95E-0D94-F9E5-E478-CC00A853580F} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231269 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231268 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDA433 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231267 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD935D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231266 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xD7E15 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231302 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDFEB2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231301 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDFEB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231300 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231299 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231298 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231297 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDECFA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231296 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDECFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231295 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231294 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231293 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231292 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE566 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231291 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE566 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231290 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231289 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231288 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231287 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE2C4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231286 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE2C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231285 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231284 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {ADA36F1A-E3EC-2A61-5F6A-0D6A552CA42A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231283 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231323 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE293C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231322 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDE566 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231321 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE293C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231320 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE293C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231319 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231318 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231317 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231316 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE27CE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231315 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE27CE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231314 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE27CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231313 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231312 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231311 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231310 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE0438 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231309 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDFEB2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231308 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xDECFA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231307 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE0438 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231306 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE0438 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231305 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231304 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F30A4024-F9F4-6BE6-5158-65334A3E51FE} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231303 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231360 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE5F0E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231359 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE5F0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231358 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231357 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231356 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231355 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE4B06 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231354 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE4B06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231353 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231352 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231351 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE48F6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE48F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231348 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231347 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231346 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231345 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE48DA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231344 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE48DA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231343 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE48DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231342 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231341 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231340 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231339 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE3857 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231338 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE3857 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231337 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE3857 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231336 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231335 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231334 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231333 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2FC3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231332 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2FC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231331 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231330 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231329 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231328 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2D6B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231327 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2D6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231326 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231325 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {33A841F4-5E5F-9F34-37A5-7B8C7109394E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231324 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231379 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6C05 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231378 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6C05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231377 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231376 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231375 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231374 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6BE7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231373 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6BE7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231372 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6BE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231371 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231370 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231369 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231368 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6531 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231367 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE5F0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231366 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE4B06 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231365 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6531 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231364 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6531 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231363 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231362 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231361 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231414 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231413 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x360 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231412 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE8FF2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231411 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE8FF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231410 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231409 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231408 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231407 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE7BA1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231406 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE7BA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231405 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231404 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231403 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231402 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE799A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231401 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE799A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231400 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231399 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231398 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231397 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE797E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231396 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE797E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231395 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE797E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231394 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231393 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231392 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231391 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE73CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231390 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6E12 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231389 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE73CC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231388 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE73CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231387 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231386 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6E2E4606-A647-BBEA-6FDF-0206E72BDB6D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231385 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231384 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6E12 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231383 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6E12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231382 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231381 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F549B0E6-1DF4-1763-940B-0ED1A1B3D454} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231380 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231466 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xECBE0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231465 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xECBE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231464 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231463 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231462 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231461 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEBB91 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231460 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEBB91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231459 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231458 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231457 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231456 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB92F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231455 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB92F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231454 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231453 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231452 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231451 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB424 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231450 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2D6B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231449 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE799A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231448 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9B2D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231447 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE2FC3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231446 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE48F6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231445 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE6C05 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231444 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB424 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231443 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB424 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231442 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231441 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231440 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231439 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB3EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231438 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB3EE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231437 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB3EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231436 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231435 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231434 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231433 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9D01 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231432 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9D01 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231431 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9D01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231430 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231429 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231428 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231427 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9B2D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231426 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9B2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231425 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231424 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231423 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231422 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9B11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231421 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9B11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231420 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE9B11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231419 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231418 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {E9F9A088-9F83-8488-6F57-B199E5202EE2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231417 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231416 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE8FF2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231415 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xE7BA1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231476 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE7E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231475 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE7E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0C57AF1B-648F-7ECF-C5AC-EE6F7AF76A33} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231474 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0C57AF1B-648F-7ECF-C5AC-EE6F7AF76A33} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231473 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0C57AF1B-648F-7ECF-C5AC-EE6F7AF76A33} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231472 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231471 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED89D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231470 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED89D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0C57AF1B-648F-7ECF-C5AC-EE6F7AF76A33} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231469 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {0C57AF1B-648F-7ECF-C5AC-EE6F7AF76A33} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231468 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {0C57AF1B-648F-7ECF-C5AC-EE6F7AF76A33} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:36:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231467 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231508 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0DDD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231507 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0DDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231506 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231505 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231504 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231503 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0B7A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0B7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231501 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231500 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231499 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231498 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF092E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231497 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF092E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231496 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231495 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231494 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231493 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF08F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231492 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEB92F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231491 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEBB91 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231490 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF08F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF08F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231488 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231487 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231486 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231485 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF08DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231484 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF08DD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231483 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF08DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231482 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231481 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FDE1407F-6FA8-81D2-A88C-F56264CCFF35} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231480 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231479 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xEE7E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231478 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xED89D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231477 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xECBE0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231518 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF2911 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231517 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF2911 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BAC7383-3757-A63B-84F0-976ACC1A2D0D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231516 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BAC7383-3757-A63B-84F0-976ACC1A2D0D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231515 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BAC7383-3757-A63B-84F0-976ACC1A2D0D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231514 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231513 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF236A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF236A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6BAC7383-3757-A63B-84F0-976ACC1A2D0D} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231511 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {6BAC7383-3757-A63B-84F0-976ACC1A2D0D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231510 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6BAC7383-3757-A63B-84F0-976ACC1A2D0D} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231509 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231555 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF7B5B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231554 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF7B5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231553 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231552 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231551 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231550 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF570A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231549 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF570A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231548 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231547 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231546 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231545 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF541B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231544 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF541B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231543 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231542 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231541 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231540 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF50D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231539 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF50D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231538 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231537 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231536 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231535 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF4D2A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231534 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF092E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231533 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0B7A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231532 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF4D2A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231531 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF4D2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231530 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231529 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231528 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231527 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF4B4A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231526 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF4B4A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231525 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF4B4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231524 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231523 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {22323FB2-AF43-58AC-FEEF-3AADBEF178AC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231522 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231521 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF2911 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231520 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF236A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231519 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF0DDD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231584 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFB747 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231583 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFB747 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231582 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231581 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231580 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231579 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA419 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231578 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA419 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231577 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231576 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231575 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231574 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA1E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231573 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA1E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231572 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231571 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231570 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231569 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA1C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231568 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA1C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231567 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA1C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231566 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231565 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231564 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231563 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA158 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231562 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF7B5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231561 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF570A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231560 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA158 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231559 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA158 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231558 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231557 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {BAB8C47E-757D-368E-A835-907BDA3A3D0E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231556 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231622 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC5FF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231621 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC5FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231620 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231619 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231618 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231617 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC3A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231616 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC3A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231615 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231614 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231613 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231612 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC120 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231611 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC120 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231610 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231609 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231608 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231607 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBFCC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231606 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF50D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231605 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xF541B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231604 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA1E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231603 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBFCC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231602 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBFCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231601 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231600 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231599 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231598 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBF93 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231597 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBF93 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231596 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBF93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231595 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231594 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231593 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231592 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBF3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231591 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFB747 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231590 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFA419 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231589 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBF3D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231588 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFBF3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231587 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231586 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A8718C8E-A221-2B0D-52AB-069841A77132} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231585 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE18F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231631 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE18F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD1578AA-ACBE-1088-2B68-6647A8BE7755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231630 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD1578AA-ACBE-1088-2B68-6647A8BE7755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231629 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD1578AA-ACBE-1088-2B68-6647A8BE7755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231628 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231627 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFDC7F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231626 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFDC7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DD1578AA-ACBE-1088-2B68-6647A8BE7755} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231625 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {DD1578AA-ACBE-1088-2B68-6647A8BE7755} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231624 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {DD1578AA-ACBE-1088-2B68-6647A8BE7755} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231623 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231664 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFF485 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231663 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFF485 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231662 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231661 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231660 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231659 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFEA4C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231658 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFEA4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231657 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231656 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231655 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231654 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7F8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231653 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231652 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231651 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231650 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231649 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231648 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC120 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231647 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC3A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231646 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231645 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231644 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231643 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231642 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231641 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231640 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231639 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231638 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231637 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231636 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231635 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE18F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231634 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFDC7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231633 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFC5FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231674 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100697 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231673 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100697 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A41557C5-0280-1EB3-7D84-F42B906ECEF9} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231672 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {A41557C5-0280-1EB3-7D84-F42B906ECEF9} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231671 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A41557C5-0280-1EB3-7D84-F42B906ECEF9} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231670 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231669 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1001DF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231668 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1001DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231667 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231666 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7A22B577-C287-5B50-8733-BA872D928FC4} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231665 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231711 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102428 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102428 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231709 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231708 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231707 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231706 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1016B8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231705 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1016B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231704 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231703 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231702 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231701 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100E8E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231700 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100E8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231699 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231698 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231697 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231696 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100C42 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231695 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100C42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231694 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231693 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231692 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231691 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100C0D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231690 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFE7F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231689 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFEA4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231688 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100C0D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231687 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100C0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231686 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231685 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231684 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231683 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100BF1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231682 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100BF1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100BF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231680 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231679 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CE5388A7-0112-37AC-A4B2-08A5746BC9EC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231678 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231677 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100697 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231676 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1001DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231675 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0xFF485 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231748 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102CF0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231747 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102CF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231746 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231745 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231744 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231743 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102B41 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231742 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102B41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231741 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231740 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231739 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231738 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1028F5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231737 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1028F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231736 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231735 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231734 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231733 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1028A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231732 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100C42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231731 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x100E8E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231730 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1028A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231729 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1028A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231728 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231727 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231726 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231725 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102885 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231724 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102885 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231723 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102885 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231722 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231721 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231720 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231719 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10281A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231718 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102428 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231717 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1016B8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231716 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10281A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231715 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10281A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231714 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231713 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5F95C638-1BB1-C1B8-681C-1D60D098819A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231712 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231769 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1045D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231768 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1028F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231767 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102B41 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231766 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1045D4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231765 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1045D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231764 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231763 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231762 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231761 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1045B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231760 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1045B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231759 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1045B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231758 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231757 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231756 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231755 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104089 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231754 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x102CF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231753 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104089 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231752 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104089 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231751 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231750 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F9C6E5D0-A8B5-4F3C-DFF7-2035AD7E9610} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231749 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231801 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10638D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231800 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10638D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231799 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231798 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231797 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231796 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106182 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231795 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106182 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231794 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231793 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231792 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231791 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106166 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231790 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106166 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231789 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106166 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231788 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231787 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231786 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231785 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104B38 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231784 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104B38 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231783 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104B38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231782 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231781 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231780 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104855 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231778 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104855 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231777 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231776 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231775 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231774 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104609 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231773 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104609 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231772 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231771 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7FCF8F6D-2E46-FAD1-DB4E-4411C5233585} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231770 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231811 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x107DC7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231810 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x107DC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFBF2FD6-C6E3-B10C-AB09-9D6318333AFA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231809 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFBF2FD6-C6E3-B10C-AB09-9D6318333AFA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231808 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFBF2FD6-C6E3-B10C-AB09-9D6318333AFA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231807 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231806 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1076E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231805 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1076E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FFBF2FD6-C6E3-B10C-AB09-9D6318333AFA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231804 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {FFBF2FD6-C6E3-B10C-AB09-9D6318333AFA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231803 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {FFBF2FD6-C6E3-B10C-AB09-9D6318333AFA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231802 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231858 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A7E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231857 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A7E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231856 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231855 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231854 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231853 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1093C0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1093C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231851 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231850 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231849 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231848 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x109217 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231847 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x109217 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231846 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231845 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231844 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231843 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1091FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231842 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1091FB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231841 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1091FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231840 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231839 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231838 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231837 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108F43 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231836 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108697 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231835 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108F43 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231834 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108F43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231833 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231832 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231831 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231830 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108697 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231829 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x108697 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231828 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231827 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231826 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231825 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10848A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231824 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10848A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231823 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231822 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231821 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231820 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10846E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231819 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10846E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231818 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10846E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231817 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231816 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B672E4F6-8DEB-8513-9FD7-8B48920A946A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231815 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231814 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x107DC7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231813 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1076E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231812 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10638D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231900 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C31B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231899 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C31B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231898 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231897 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231896 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231895 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231894 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104609 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231893 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10ABFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231892 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x104855 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231891 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10848A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231890 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x109217 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231889 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x106182 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231888 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231887 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231886 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231885 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231884 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231883 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231882 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231881 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C2AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231880 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231879 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231878 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231877 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10AE07 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231876 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10AE07 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231875 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10AE07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231874 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231873 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231872 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231871 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10ABFB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231870 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10ABFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231869 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231868 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231867 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231866 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10ABDF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231865 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10ABDF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231864 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10ABDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231863 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231862 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {D855A549-5383-F071-5515-CA8C263A2A08} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231861 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231860 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10A7E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231859 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1093C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231920 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10E302 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231919 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10E302 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231918 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231917 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231916 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231915 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10DB0E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231914 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10DB0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231913 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231912 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231911 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231910 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10CA4D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231909 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10CA4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231908 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231907 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231906 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231905 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C567 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231904 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C567 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231903 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231902 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F481A4A8-125F-1EF2-B8BE-4CC1AB0EA2D2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231901 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231947 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1118AE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231946 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1118AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231945 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231944 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231943 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231942 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1115DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231941 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1115DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231940 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231939 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231938 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231937 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111582 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231936 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C31B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231935 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10C567 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231934 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111582 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231933 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111582 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231932 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231931 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231930 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231929 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111558 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231928 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111558 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231927 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111558 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231926 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231925 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7258BE46-E0DF-6CC1-582C-D0A021A5DCE5} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231924 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231923 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10E302 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231922 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10DB0E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231921 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x10CA4D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231962 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114225 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231961 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114225 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231960 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231959 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231958 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231957 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1131DF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231956 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1131DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231955 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231954 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231953 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231952 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111C6B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231951 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111C6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231950 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231949 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {68B57F8D-FCC3-FD86-42FC-353D2181BE13} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231948 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231999 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116290 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231998 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116290 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231997 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231996 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231995 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231994 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114C10 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231993 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114C10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231992 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231991 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231990 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231989 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11492A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231988 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11492A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231987 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231986 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231985 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231984 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114639 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231983 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114639 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231982 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231981 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231980 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231979 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11458E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231978 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1115DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231977 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1118AE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231976 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11458E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231975 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11458E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231974 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231973 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231972 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231971 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11456C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=231970 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11456C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231969 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11456C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=231968 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=231967 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B908481C-52A4-E48A-B996-CBBFAEA55BBF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=231966 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231965 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114225 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231964 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1131DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=231963 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x111C6B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232019 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11492A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232018 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116DC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232017 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116DC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232016 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232015 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232014 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232013 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116D89 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232012 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116D89 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232011 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116D89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232010 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232009 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232008 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232007 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116BD7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232006 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116290 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232005 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114C10 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232004 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116BD7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232003 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116BD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232002 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232001 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {CA0A6B09-0C9C-58DB-D25A-05FD17B4DCC8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232000 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232041 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118A35 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232040 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118A35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232039 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232038 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232037 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232036 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x117511 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232035 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x117511 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232034 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232033 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232032 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232031 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1170D7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232030 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1170D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232029 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232028 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232027 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232026 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116E10 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232025 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116E10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232024 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232023 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4A930A16-7A83-35A7-83BA-44B0A7269C30} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232022 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232021 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116DC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232020 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x114639 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232078 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11A8D8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232077 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11A8D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232076 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232075 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232074 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232073 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119CC0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232072 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119CC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232071 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232070 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232069 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232068 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1199F3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232067 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1199F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232066 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232065 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232064 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232063 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1199AF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232062 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x116E10 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232061 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1170D7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232060 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1199AF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232059 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x1199AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232058 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232057 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232056 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232055 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119987 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232054 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119987 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232053 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119987 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232052 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232051 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232050 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232049 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119800 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232048 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x118A35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232047 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x117511 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232046 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119800 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232045 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x119800 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232044 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232043 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {56CAB66E-4EDE-DA0F-E27D-3352DC4EC8EA} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232042 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232117 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CE25 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232116 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CE25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232115 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232114 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232113 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232112 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CB78 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232111 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CB78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232110 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232109 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232108 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232107 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11C8AB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232106 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11C8AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232105 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232104 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232103 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232102 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11C86D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232101 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11C86D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232100 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11C86D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232099 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232098 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232097 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232096 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B0A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232095 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B0A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232094 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11B0A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232093 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232092 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232091 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232090 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11ADD1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232089 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11ADD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232088 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232087 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232086 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232085 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11ADAF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232084 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11ADAF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232083 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11ADAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232082 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232081 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232080 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232079 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11A8D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232123 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DC5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:37:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232122 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11DC5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232121 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:37:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232120 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B194097B-FBBF-872D-61E0-C4BE89D45DB0} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:37:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232119 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:37:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232118 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x11CE25 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:37:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=232125 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4bc Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎11‎-‎09T11:37:25.652121800Z New Time: ‎2020‎-‎11‎-‎09T11:37:25.650000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 11:37:25 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Service shutdown OpCode=Info RecordNumber=232124 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:37:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232128 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232127 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=232126 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:37:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232134 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x30c New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232133 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232132 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232131 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232130 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232129 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=232139 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5FFA 11/09/2020 11:37:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232138 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:37:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=232137 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:37:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232136 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x364 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:37:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=232135 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232154 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232153 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232152 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232151 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB41F Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232150 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB45F Linked Logon ID: 0xB41F Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232149 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB41F Linked Logon ID: 0xB45F Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232148 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232147 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232146 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232145 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232144 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232143 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232142 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232141 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232140 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232157 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:38:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232156 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:38:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232155 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:38:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232159 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:38:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232158 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:38:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232161 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232160 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232163 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x364 Process Name: C:\Windows\System32\lsass.exe 11/09/2020 11:38:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232162 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x364 Process Name: C:\Windows\System32\lsass.exe 11/09/2020 11:38:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232165 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232164 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232182 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232181 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232180 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232179 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232178 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232177 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232176 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2C1A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232175 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232174 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232173 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232172 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232171 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232170 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232169 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232168 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232167 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232166 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232190 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x3E9A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232189 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x3E9A0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232188 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x3E9A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232187 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x3E9A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232186 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232185 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232184 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:38:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232183 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-259 Error Code: 0x0 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232211 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x46BEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232210 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x46BEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49705 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232209 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x46BEA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232208 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x3E9A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232207 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4648B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232206 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4648B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 49704 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232205 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4648B Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232204 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B7C9E743-7443-06AA-8CC9-FC2EB815A8F9} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232203 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232202 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232201 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x42D77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49699 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232200 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x42D77 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232199 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B7C9E743-7443-06AA-8CC9-FC2EB815A8F9} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232198 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x42AEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49698 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232197 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x42AEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 49697 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232196 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x42AEA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232195 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x42AEB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232194 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B7C9E743-7443-06AA-8CC9-FC2EB815A8F9} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232193 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B7C9E743-7443-06AA-8CC9-FC2EB815A8F9} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232192 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232191 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232249 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A749 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232248 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A749 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232247 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232246 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232245 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232244 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A4E6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232243 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A4E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232242 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232241 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232240 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232239 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A209 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232238 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A209 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232237 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232236 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232235 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232234 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A1B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232233 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A1B5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232232 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A1B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232231 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232230 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232229 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232228 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x49365 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232227 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x49365 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232226 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x49365 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232225 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232224 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232223 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232222 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x49069 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232221 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x49069 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232220 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232219 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232218 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232217 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232216 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x48C38 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232215 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x48C38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232214 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232213 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {AE9C339E-6EAB-EAFB-5B73-BC7C24FE38B8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232212 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232274 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4C91F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61880 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232273 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4C91F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232272 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F2F95A46-F7B5-FEFA-6172-4B06DD522626} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232271 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4C87A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 49703 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232270 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4C87A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232269 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F2F95A46-F7B5-FEFA-6172-4B06DD522626} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232268 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4B485 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232267 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4B485 Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232266 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F2F95A46-F7B5-FEFA-6172-4B06DD522626} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232265 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F2F95A46-F7B5-FEFA-6172-4B06DD522626} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232264 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B33E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232263 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A209 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232262 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A4E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B33E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B33E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83AECEFE-143A-BF52-54FB-D6D354CEADDF} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232259 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83AECEFE-143A-BF52-54FB-D6D354CEADDF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232258 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83AECEFE-143A-BF52-54FB-D6D354CEADDF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232257 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232256 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B313 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232255 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B313 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232254 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4B313 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {83AECEFE-143A-BF52-54FB-D6D354CEADDF} Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232253 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {83AECEFE-143A-BF52-54FB-D6D354CEADDF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x540 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232252 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {83AECEFE-143A-BF52-54FB-D6D354CEADDF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232251 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: ATTACKRANGE User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232250 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x4A749 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232287 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4C986 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232286 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4CBD1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232285 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4CBD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4CBD1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232283 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4CA98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232282 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4CADF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232281 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4CADF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 61882 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232280 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4CADF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232279 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4CA98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232278 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4CA98 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232277 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5CF6AC18-DE13-982F-20CE-30DE435C3C1E} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232276 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4C986 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61881 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232275 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4C986 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4DBC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61885 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4DBC0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232294 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4DCDB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:38:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232293 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4DCDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61886 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:38:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232292 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4DCDB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:38:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232295 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4C87A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227478 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=227477 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:39:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227479 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227481 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227480 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227485 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227484 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x318 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227483 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x300 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2f8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227482 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security State Change OpCode=Info RecordNumber=227488 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:39:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227487 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x398 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x318 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Process Creation OpCode=Info RecordNumber=227486 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x388 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x318 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:39:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227494 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:39:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227493 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227492 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227491 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227490 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x70FE 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227506 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227505 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10DC8 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227504 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10DB6 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227503 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10DC8 Linked Logon ID: 0x10DB6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10DB6 Linked Logon ID: 0x10DC8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227501 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227500 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227499 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227498 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227497 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227496 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227495 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227519 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227518 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227517 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227516 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227515 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1708A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227514 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227513 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227512 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227511 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227510 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227509 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227508 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227507 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227520 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:39:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4F68C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61891 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4F68C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:39:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232300 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4F57F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:39:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232299 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4F57F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61890 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232298 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4F57F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:39:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232297 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x4F538 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61889 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:39:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232296 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4F538 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:39:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227522 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:39:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227521 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227524 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227523 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227530 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO 11/09/2020 11:40:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227529 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 11:40:08 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 11:40:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227528 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xfb0 Process Name: C:\Windows\System32\net1.exe 11/09/2020 11:40:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227527 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:40:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227526 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:40:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227525 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:40:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227537 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227536 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa38 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227535 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa38 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227534 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227533 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:40:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227532 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:40:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227531 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 11/09/2020 11:40:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227542 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO 11/09/2020 11:40:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227541 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Target Account: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 11/9/2020 11:40:15 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 11/09/2020 11:40:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227540 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x0 Process Name: - 11/09/2020 11:40:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=User Account Management OpCode=Info RecordNumber=227539 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Process Information: Process ID: 0x0 Process Name: - 11/09/2020 11:40:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227538 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227550 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227549 Keywords=Audit Success Message=Key file operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227548 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227547 Keywords=Audit Success Message=Key file operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227546 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227545 Keywords=Audit Success Message=Key file operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227544 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:40:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227543 Keywords=Audit Success Message=Key file operation. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x70614 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:40:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=System Integrity OpCode=Info RecordNumber=227552 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:40:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Other System Events OpCode=Info RecordNumber=227551 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227558 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7D9BE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227557 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7D9BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227556 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227555 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227554 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227553 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227617 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227616 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81413 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227615 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81413 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227614 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227613 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227612 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81134 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227611 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F685 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227610 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7FAC1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227609 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81134 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227608 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81134 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227607 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227606 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227605 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x80EE2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227604 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x80EE2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227603 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x80EE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227602 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227601 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227600 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7FDD1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227599 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7FDD1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227598 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7FDD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227597 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227596 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227595 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7FAC1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227594 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7FAC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227593 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227592 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227591 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F685 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227590 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F685 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227589 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227588 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227587 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F601 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227586 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7EE71 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227585 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F2CD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227584 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F601 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227583 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F601 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227582 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227581 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227580 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F5D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227579 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F5D0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227578 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F5D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227577 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227576 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227575 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F543 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227574 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F543 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227573 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F543 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227572 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227571 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227570 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F2CD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227569 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7F2CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227568 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227567 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227566 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7EE71 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227565 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7EE71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227564 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227563 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227562 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7EADC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227561 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7EADC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227560 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227559 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227671 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84206 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227670 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84206 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227669 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227668 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227667 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x840E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227666 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83BF5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227665 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x840E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227664 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x840E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227663 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227662 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227661 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227660 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83BF5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227659 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83BF5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227658 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227657 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227656 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x836F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227655 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83989 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227654 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83989 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227653 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227652 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227651 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83954 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227650 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83954 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227649 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x83954 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227648 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227647 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227646 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x836F2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227645 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x836F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227644 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227643 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227642 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227641 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x831A7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227640 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x831A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227639 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227638 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227637 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x7EADC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227636 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81AD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227635 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x830DC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227634 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x830DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227633 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227632 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227631 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x82E93 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227630 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x82E93 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227629 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x82E93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227628 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227627 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227626 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81E49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227625 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81E49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227624 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81E49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227623 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227622 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227621 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81AD6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227620 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x81AD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227619 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227618 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227706 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x86A12 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227705 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x86A12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227704 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227703 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227702 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x863DE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227701 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x863DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227700 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227699 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227698 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227697 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85E6B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227696 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85E6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227695 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227694 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227693 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85D96 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227692 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84206 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227691 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84746 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227690 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85D96 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227689 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85D96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227688 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227687 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227686 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85D48 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227685 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85D48 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227684 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x85D48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227683 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227682 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227681 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84A89 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227680 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84A89 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227679 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84A89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227678 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227677 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227676 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84746 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227675 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x84746 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227674 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227673 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227672 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227717 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x863DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227716 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x886C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227715 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x886C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227714 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227713 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227712 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x88531 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227711 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x88531 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x88531 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227709 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227708 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227707 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x86A12 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227734 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8C713 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227733 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8C713 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227732 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227731 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227730 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8AB98 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227729 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8AB98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227728 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227727 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227726 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8A8B9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227725 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8A8B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227724 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227723 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227722 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227721 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8A3BF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227720 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8A3BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227719 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227718 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227738 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8D375 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227737 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8D375 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227736 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227735 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232305 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x5B2F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232304 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x5B2F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61893 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x5B2F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:40:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x5E5F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61898 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232306 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x5E5F6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:40:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227739 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8A3BF Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe68 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227770 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA23E4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227769 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA23E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227768 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227767 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227766 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA0727 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227765 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA0727 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227764 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227763 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227762 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA047B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227761 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA047B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227760 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227759 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227758 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227757 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FD97 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227756 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FD97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227755 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227754 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227753 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FCBC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227752 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8A8B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227751 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FCBC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227750 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FCBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227749 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227748 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227747 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FC88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227746 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FC88 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227745 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FC88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227744 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227743 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227742 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8D375 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227741 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8C713 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227740 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x8AB98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227789 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA35C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227788 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0x9FD97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227787 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA047B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227786 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA35C1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227785 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA35C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227784 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227783 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227782 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3590 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227781 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3590 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227780 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3590 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227779 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227778 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA332D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227776 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA23E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227775 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA0727 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227774 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA332D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227773 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA332D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227772 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227771 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227810 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA65A6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227809 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA65A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227808 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227807 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227806 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA5957 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227805 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA5957 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227804 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227803 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227802 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3F04 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227801 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3F04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227800 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227799 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227798 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3BAC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227797 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3BAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227796 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227795 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227794 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227793 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA36D8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227792 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA36D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227791 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:40:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227790 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232309 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x42AEA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232308 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4C91F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232310 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4DBC0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227815 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xB4FB4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227814 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xB4FB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227813 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227812 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227811 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA65A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227827 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227826 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227825 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227824 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227823 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227822 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227821 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227820 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227819 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227818 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xca4 Process Name: C:\Windows\System32\VSSVC.exe 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227817 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227816 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x388 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227842 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE0EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227841 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA36D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227840 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3BAC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227839 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE0EC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227838 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE0EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227837 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227836 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227835 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE0B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227834 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE0B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227833 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE0B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227832 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227831 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227830 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xB4FB4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227829 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA5957 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227828 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xA3F04 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227859 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD0842 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227858 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD0842 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227857 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227856 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227855 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCEBED Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227854 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCEBED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227853 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227852 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227851 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE8CB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227850 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE8CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227849 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227848 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227847 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227846 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE1EC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227845 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE1EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227844 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227843 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232313 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x5F66B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232312 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x5F66B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61910 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232311 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x5F66B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227878 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2444 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227877 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE1EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227876 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCE8CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227875 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2444 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227874 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2444 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227873 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227872 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227871 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2413 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227870 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2413 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227869 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2413 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227868 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227867 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227866 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD1CBF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227865 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD0842 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227864 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xCEBED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227863 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD1CBF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227862 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD1CBF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227861 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227860 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227895 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD4B8A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227894 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD4B8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227893 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227892 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227891 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD3002 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227890 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD3002 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227889 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227888 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227887 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2D0F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227886 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2D0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227885 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227884 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227883 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227882 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD271F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227881 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD271F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227880 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227879 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227927 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD661E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227926 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD661E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227925 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227924 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD633B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227922 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD633B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227921 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227920 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Security Group Management OpCode=Info RecordNumber=227919 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x418 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227918 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5E72 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227917 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5E72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227916 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227915 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227914 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5D7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227913 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD271F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227912 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD2D0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227911 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5D7C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227910 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5D7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227909 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227908 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227907 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5D4A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227906 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5D4A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227905 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD5D4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227904 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227903 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD56B7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227901 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD4B8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227900 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD3002 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227899 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD56B7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227898 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD56B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227897 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227896 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227951 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD9993 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227950 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD9993 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227949 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227948 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227947 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD9926 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227946 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD9926 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227945 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD9926 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227944 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227943 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227942 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD7AC1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227941 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD7AC1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227940 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD7AC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227939 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227938 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227937 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD77F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227936 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD77F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227935 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227934 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227933 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD77C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227932 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD77C8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227931 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD77C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227930 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227929 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227928 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD661E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227964 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDB24F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227963 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDB24F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227962 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227961 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227960 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDA02F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227959 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDA02F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227958 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDA02F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227957 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227956 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227955 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD9D45 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227954 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xD9D45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227953 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227952 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227965 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227999 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDE1F0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227998 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDE1F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227997 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227996 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227995 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDCEA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227994 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDCEA9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227993 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDCEA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227992 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227991 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227990 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDCB23 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227989 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDCB23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227988 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227987 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Special Logon OpCode=Info RecordNumber=227986 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDC7A7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227985 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDC7A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-DRAP9BO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logon OpCode=Info RecordNumber=227984 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x538 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Credential Validation OpCode=Info RecordNumber=227983 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-DRAP9BO Error Code: 0x0 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Logoff OpCode=Info RecordNumber=227982 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: EC2AMAZ-DRAP9BO Logon ID: 0xDB24F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227981 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227980 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227979 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227978 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227977 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227976 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227975 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227974 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227973 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227972 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_elambkup_0bc02aa0c28485f3.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227971 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227970 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227969 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227968 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227967 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Audit Policy Change OpCode=Info RecordNumber=227966 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-DRAP9BO$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xf24 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 11/09/2020 11:41:37 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-DRAP9BO TaskCategory=Service shutdown OpCode=Info RecordNumber=228000 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:41:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232314 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4B485 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228003 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228002 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=228001 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228016 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228015 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228014 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5531 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228013 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security State Change OpCode=Info RecordNumber=228012 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228011 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228010 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x350 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228009 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x308 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228008 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228007 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228006 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228005 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228004 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=System Integrity OpCode=Info RecordNumber=228046 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other System Events OpCode=Info RecordNumber=228045 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other System Events OpCode=Info RecordNumber=228044 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228043 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x40c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228042 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x40c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228041 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1314D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228040 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228039 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228038 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228037 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228036 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228035 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228034 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228033 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other System Events OpCode=Info RecordNumber=228032 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228031 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228030 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228029 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228028 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228027 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228026 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228025 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228024 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228023 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA346 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228022 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA329 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228021 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA346 Linked Logon ID: 0xA329 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228020 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA329 Linked Logon ID: 0xA346 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228019 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228018 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:42:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228017 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=System Integrity OpCode=Info RecordNumber=228048 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:42:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other System Events OpCode=Info RecordNumber=228047 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228063 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x292B7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228062 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x292B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228061 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228060 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228059 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x29167 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228058 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x29167 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228057 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228056 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228055 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x40c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228054 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x289E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228053 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x289E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228052 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228051 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=System Integrity OpCode=Info RecordNumber=228050 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:42:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other System Events OpCode=Info RecordNumber=228049 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228094 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B3DA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228093 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A52B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228092 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A78C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228091 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B3DA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228090 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B3DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228089 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228088 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228087 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B3A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228086 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B3A5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228085 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B3A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228084 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228083 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228082 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2AB4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228081 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2AB4C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228080 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2AB4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228079 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228078 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228077 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A78C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228076 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A78C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228075 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228074 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228073 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A52B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228072 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A52B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228071 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228070 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228069 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A265 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228068 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A265 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228067 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2A265 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228066 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228065 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228064 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x292B7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228102 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B73E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228101 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B73E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228100 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228099 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228098 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B49B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228097 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B49B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228096 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228095 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228114 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D0A1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228113 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D0A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228112 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228111 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228110 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2CDAC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228109 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2CDAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228108 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228107 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228106 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B906 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228105 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B906 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228104 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228103 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228140 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3303F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228139 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3303F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228138 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228137 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228136 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32DC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228135 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32DC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228134 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228133 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228132 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32B66 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228131 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32B66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228130 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228129 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228128 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32B1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228127 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B73E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228126 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32B1A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228125 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32B1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228124 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228123 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228122 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32AE9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228121 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32AE9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228120 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32AE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228119 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228118 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228117 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D0A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228116 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2CDAC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228115 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B906 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228172 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x357C8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228171 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x357C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228170 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228169 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228168 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x35584 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228167 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x35584 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228166 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228165 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228164 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x35325 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228163 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x35325 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228162 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228161 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228160 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x352DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228159 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x352DF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228158 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x352DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228157 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228156 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228155 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33EE5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228154 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33EE5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228153 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33EE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228152 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228151 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228150 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33C65 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228149 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33C65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228148 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228147 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228146 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33C33 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228145 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33C33 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228144 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x33C33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228143 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228142 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228141 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3303F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228177 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x36403 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228176 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x36403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228175 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228174 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228173 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x357C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228190 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x369D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228189 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x369D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228188 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228187 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228186 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3676E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228185 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3676E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228184 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228183 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228182 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x36504 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228181 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x36504 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228180 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228179 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228178 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x36403 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228195 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x375D9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228194 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x375D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228193 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228192 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228191 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x369D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228213 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38ACD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228212 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38ACD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228211 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228210 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228209 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37C75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228208 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37C75 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228207 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37C75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228206 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228205 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228204 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37A92 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228203 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37A92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228202 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228201 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228200 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37833 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228199 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37833 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228198 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228197 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228196 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x375D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232317 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x615F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232316 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x615F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61922 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232315 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x615F0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228231 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39F47 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228230 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39F47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228229 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228228 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228227 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39274 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228226 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39274 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228225 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39274 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228224 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228223 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228222 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3904B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228221 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3904B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228220 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228219 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228218 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38DEC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228217 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38DEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228216 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5cc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228215 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:42:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228214 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38ACD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:42:41 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=win-host-8 TaskCategory=Service shutdown OpCode=Info RecordNumber=228232 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:43:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228235 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228234 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=228233 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228248 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228247 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228246 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x553E 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228245 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security State Change OpCode=Info RecordNumber=228244 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228243 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x35c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228242 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x34c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228241 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x304 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228240 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228239 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228238 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228237 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Process Creation OpCode=Info RecordNumber=228236 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other System Events OpCode=Info RecordNumber=228274 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228273 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x420 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228272 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x420 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228271 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1382A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228270 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228269 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228268 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228267 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228266 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228265 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228264 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228263 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Other System Events OpCode=Info RecordNumber=228262 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228259 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228258 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228257 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228256 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228255 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA1E7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228254 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA1D4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228253 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA1E7 Linked Logon ID: 0xA1D4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228252 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA1D4 Linked Logon ID: 0xA1E7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228251 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228250 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:43:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228249 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228279 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x420 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:43:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228278 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x18F28 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228277 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x18F28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228276 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228275 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228305 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E8EE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228304 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E8EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228303 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228302 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228301 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E68F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228300 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E68F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228299 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228298 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228297 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E64C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228296 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E64C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228295 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E64C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228294 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228293 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228292 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1D675 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228291 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1D675 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228290 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1D675 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228289 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228288 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228287 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1D518 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228286 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1D518 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228285 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228284 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228283 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1D2AE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228282 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1D2AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228281 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228280 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232339 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x63158 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232338 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x63158 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61944 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232337 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x63158 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232336 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x630EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232335 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x630EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61943 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232334 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x630EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232333 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x88c Process Name: C:\Windows\System32\dfsrs.exe 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232332 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x88c Process Name: C:\Windows\System32\dfsrs.exe 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232331 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62F76 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232330 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x62F76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61941 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232329 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62F76 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232328 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x62E17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61940 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232327 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62E17 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232326 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x62DDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61939 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232325 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62DDE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232324 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x62DA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61939 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232323 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62DA3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232322 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x62D51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61937 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232321 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62D51 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232320 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62D15 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232319 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x62D15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61936 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232318 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x62D15 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228338 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20C17 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228337 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20C17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228336 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228335 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228334 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F9AD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228333 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F9AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228332 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228331 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228330 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F784 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228329 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F784 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228328 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228327 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228326 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F525 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228325 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F525 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228324 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228323 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228322 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F4DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228321 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E68F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228320 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1E8EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228319 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F4DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228318 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F4DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228317 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228316 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228315 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F4AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228314 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F4AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228313 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F4AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228312 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228311 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228310 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F2E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228309 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F2E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228308 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F2E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228307 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228306 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232345 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x63765 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232344 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x63765 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61947 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232343 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x63765 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232342 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x636BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232341 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x636BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61946 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232340 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x636BA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228358 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x21348 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228357 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x21348 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228356 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228355 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228354 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2116C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228353 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2116C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228352 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228351 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228350 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2113B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228349 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2113B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228348 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2113B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228347 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228346 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228345 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20FFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228344 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20C17 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228343 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F9AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228342 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20FFB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228341 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20FFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228340 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228339 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228395 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x24D5D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228394 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x24D5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228393 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228392 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228391 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x23AAB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228390 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x23AAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228389 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228388 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228387 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2383B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228386 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2383B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228385 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228384 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228383 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2380A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228382 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2380A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228381 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2380A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228380 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228379 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228378 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x233D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228377 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22D84 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228376 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x233D4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228375 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x233D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228374 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228373 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228372 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22D84 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228371 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22D84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228370 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228369 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228368 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22A7D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228367 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22A7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228366 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228365 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228364 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22A4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228363 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22A4C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228362 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22A4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228361 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228360 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228359 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x21348 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228427 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268AF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228426 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F525 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228425 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22A7D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228424 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F784 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228423 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2116C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228422 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x251F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228421 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2383B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228420 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268AF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228419 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228418 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228417 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228416 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2687E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228415 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2687E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228414 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2687E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228413 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228412 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228411 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x25BDB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228410 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x25BDB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228409 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x25BDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228408 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228407 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228406 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x251F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228405 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x251F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228404 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228403 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228402 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x251C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228401 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x251C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228400 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x251C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228399 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228398 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228397 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x24D5D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228396 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x23AAB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228443 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x28072 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228442 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x28072 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228441 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228440 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228439 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26D36 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228438 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26D36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228437 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228436 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228435 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26B58 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228434 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26B58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228433 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228432 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228431 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228430 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228429 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228428 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228447 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x28518 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228446 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x28518 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228445 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228444 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228459 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2AF68 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228458 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2AF68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228457 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228456 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228455 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x28518 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228454 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x28072 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228453 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26D36 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228452 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268F9 Member: Security ID: ATTACKRANGE\Domain Users Account Name: - Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Security Group Management OpCode=Info RecordNumber=228451 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268F9 Member: Security ID: ATTACKRANGE\Domain Admins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228450 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: win-dc-259.attackrange.local Additional Information: LDAP/win-dc-259.attackrange.local Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.0.1.14 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228449 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86035787-708D-296E-3D22-93CB0B25DA6B} Target Server: Target Server Name: win-dc-259.attackrange.local Additional Information: ldap/win-dc-259.attackrange.local Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228448 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x268F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86035787-708D-296E-3D22-93CB0B25DA6B} Target Server: Target Server Name: win-dc-259.attackrange.local Additional Information: cifs/win-dc-259.attackrange.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.0.1.14 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232374 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6432D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73460C0A-E009-B33C-EF21-CE567965821A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49698 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232373 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64315 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73460C0A-E009-B33C-EF21-CE567965821A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49698 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232372 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64303 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73460C0A-E009-B33C-EF21-CE567965821A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232371 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31EECA5D-80F9-8F3E-6EDF-0641651D241A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49705 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232370 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49704 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232369 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49702 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232368 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64147 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73460C0A-E009-B33C-EF21-CE567965821A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49676 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232367 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31EECA5D-80F9-8F3E-6EDF-0641651D241A} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49695 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232366 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31EECA5D-80F9-8F3E-6EDF-0641651D241A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49694 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232365 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x64131 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232364 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73460C0A-E009-B33C-EF21-CE567965821A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49688 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232363 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {31EECA5D-80F9-8F3E-6EDF-0641651D241A} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49692 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232362 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49691 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232361 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49689 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232360 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x640F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232359 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x640F0 Target Account: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4722 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232358 Keywords=Audit Success Message=A user account was enabled. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x640F0 Target Account: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4741 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=232357 Keywords=Audit Success Message=A computer account was created. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x640F0 New Computer Account: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Attributes: SAM Account Name: WIN-HOST-8$ Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 11/9/2020 11:43:36 AM Account Expires: Primary Group ID: 515 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x80 User Account Control: 'Workstation Trust Account' - Enabled User Parameters: - SID History: - Logon Hours: DNS Host Name: win-host-8.attackrange.local Service Principal Names: HOST/win-host-8.attackrange.local RestrictedKrbHost/win-host-8.attackrange.local HOST/WIN-HOST-8 RestrictedKrbHost/WIN-HOST-8 Additional Information: Privileges - 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232356 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64108 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E5A59DE-FDDC-6649-2E1A-0A5AEE325D41} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49686 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232355 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x64108 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232354 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x640F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E5A59DE-FDDC-6649-2E1A-0A5AEE325D41} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49681 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232353 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x640F0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232352 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86035787-708D-296E-3D22-93CB0B25DA6B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49684 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232351 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49683 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232350 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x640DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4E5A59DE-FDDC-6649-2E1A-0A5AEE325D41} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49676 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232349 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x640DF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232348 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86035787-708D-296E-3D22-93CB0B25DA6B} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49680 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232347 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {86035787-708D-296E-3D22-93CB0B25DA6B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49679 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:43:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232346 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49678 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228492 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2CB70 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228491 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2CB70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228490 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228489 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228488 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2C368 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228487 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2C368 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228486 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228485 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228484 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2C337 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228483 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2C337 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228482 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2C337 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228481 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228480 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228479 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B6C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228478 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B6C8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228477 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B6C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228476 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228475 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228474 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B4C7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228473 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B4C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228472 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228471 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228470 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B139 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228469 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B139 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228468 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228467 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228466 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B027 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228465 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26B58 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228464 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B027 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228463 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2B027 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228462 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228461 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228460 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2AF68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232377 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x64303 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232376 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x64346 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232375 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64346 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {73460C0A-E009-B33C-EF21-CE567965821A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49706 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228515 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2EB4E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228514 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2EB4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228513 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228512 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228511 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DEC6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228510 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DEC6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228509 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DEC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228508 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228507 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228506 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DCDB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228505 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DCDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228504 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228503 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228502 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DA7C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228501 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DA7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228500 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228499 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228498 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DA37 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Special Logon OpCode=Info RecordNumber=228497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DA37 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DA37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logon OpCode=Info RecordNumber=228495 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5b0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Credential Validation OpCode=Info RecordNumber=228494 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:43:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8 TaskCategory=Logoff OpCode=Info RecordNumber=228493 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2CB70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:40 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=win-host-8 TaskCategory=Service shutdown OpCode=Info RecordNumber=228516 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:43:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232379 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x648F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61951 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232378 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x648F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232390 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64C98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232389 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64DA6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232388 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64DEC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232387 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64E5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61954 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232386 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64E5C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232385 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64DEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 61953 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232384 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64DEC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232383 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64DA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232382 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64DA6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232381 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x64C98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 61952 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:43:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232380 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64C98 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:43:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232391 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x64E5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228521 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228520 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228519 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228518 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=228517 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228534 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228533 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228532 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228531 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=228530 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x55BE 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=228528 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228527 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228526 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x350 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228525 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x308 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228524 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228523 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x278 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=228522 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1bc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232399 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6563D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232398 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6563D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {49CDD040-A99C-924A-1640-462D9BBD0788} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49667 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232397 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5DF55CDA-FCAC-8A10-7E72-246511CE0698} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49676 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232396 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6562C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {49CDD040-A99C-924A-1640-462D9BBD0788} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49670 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232395 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5DF55CDA-FCAC-8A10-7E72-246511CE0698} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49675 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232394 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {5DF55CDA-FCAC-8A10-7E72-246511CE0698} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49674 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232393 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49673 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:44:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232392 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49671 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228568 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1AEAC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228567 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1AEAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5CF466D9-53C3-10C7-C2B0-17A48DDF0CFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228566 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1AEAC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228565 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1ABF1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228564 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1ABF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5CF466D9-53C3-10C7-C2B0-17A48DDF0CFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228563 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1ABF1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=228562 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=228561 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=228560 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=228559 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=228558 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228557 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228556 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228555 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x13AEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228554 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228553 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228552 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228551 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228550 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228549 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228548 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228547 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=228546 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228545 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228544 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228543 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4CD Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228542 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4AC Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228541 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4CD Linked Logon ID: 0xA4AC Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228540 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4AC Linked Logon ID: 0xA4CD Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228539 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x308 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228538 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228537 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232424 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65763 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232423 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49670 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232422 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {732F54B5-4E9B-B8E8-7F40-114422BA08F8} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49714 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232421 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {732F54B5-4E9B-B8E8-7F40-114422BA08F8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49713 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232420 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65763 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49709 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232419 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {732F54B5-4E9B-B8E8-7F40-114422BA08F8} Service Information: Service Name: WIN-HOST-8$ Service ID: ATTACKRANGE\WIN-HOST-8$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49707 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232418 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6574F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49706 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232417 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x656D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=232416 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65732 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: HOST/win-host-8.attackrange.local RestrictedKrbHost/win-host-8.attackrange.local HOST/WIN-HOST-8 RestrictedKrbHost/WIN-HOST-8 TERMSRV/win-host-8.attackrange.local TERMSRV/WIN-HOST-8 Additional Information: Privileges: - 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=232415 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65732 Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: HOST/win-host-8.attackrange.local RestrictedKrbHost/win-host-8.attackrange.local HOST/WIN-HOST-8 RestrictedKrbHost/WIN-HOST-8 TERMSRV/win-host-8.attackrange.local Additional Information: Privileges: - 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232414 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65732 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49699 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232413 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65700 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232412 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65712 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49682 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232411 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65700 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49697 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232410 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x656E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49682 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232409 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x656D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49693 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232408 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x656BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49682 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232407 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x656A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232406 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x656A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49692 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232405 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6568A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49683 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232404 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6567C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49689 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232403 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {732F54B5-4E9B-B8E8-7F40-114422BA08F8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49691 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232402 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {732F54B5-4E9B-B8E8-7F40-114422BA08F8} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49690 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232401 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49688 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:44:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232400 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49687 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=228576 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228575 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1EACC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228574 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1EACC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228573 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228572 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=228571 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-86caf8af-472d-4774-84fc-67a1b54392aa Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=228570 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a93915f10357c02a97fd2a46857f1e6_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4739 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=228569 Keywords=Audit Success Message=Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Domain: Domain Name: WIN-HOST-8 Domain ID: WIN-HOST-8\ Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: - 11/09/2020 11:44:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232425 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6574F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228584 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F3F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228583 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F3F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228582 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228581 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228580 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F29B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228579 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F29B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228578 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228577 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228590 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20B3E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228589 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20B3E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228588 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x20B3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228587 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228586 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228585 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x1F3F9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232438 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x658B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232437 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x658F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232436 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A71469FB-D070-F1EC-F6F8-EB3C06494B68} Service Information: Service Name: WIN-HOST-8$ Service ID: ATTACKRANGE\WIN-HOST-8$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49724 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232435 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49723 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232434 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x658F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49721 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232433 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x658D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232432 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x658D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49720 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232431 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x658C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232430 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x658C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49719 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232429 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x658B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49718 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4742 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Computer Account Management OpCode=Info RecordNumber=232428 Keywords=Audit Success Message=A computer account was changed. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6586D Computer Account That Was Changed: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: HOST/win-host-8.attackrange.local RestrictedKrbHost/win-host-8.attackrange.local HOST/WIN-HOST-8 RestrictedKrbHost/WIN-HOST-8 TERMSRV/win-host-8.attackrange.local TERMSRV/WIN-HOST-8 WSMAN/win-host-8.attackrange.local WSMAN/win-host-8 Additional Information: Privileges: - 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232427 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6586D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FEC50149-4DCD-2192-3DA5-3C809C849E37} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49716 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232426 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A71469FB-D070-F1EC-F6F8-EB3C06494B68} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49717 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228635 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2408A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228634 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2408A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228633 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228632 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228631 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22E0F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228630 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22E0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228629 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228628 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228627 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22BBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228626 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22BBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228625 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228624 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228623 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22940 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228622 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22940 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228621 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228620 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228619 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2233D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228618 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2103F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228617 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x2238D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228616 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2238D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EA3EBFFE-C326-7D8D-2F2B-A168D816055B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228615 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x2238D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228614 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {A71469FB-D070-F1EC-F6F8-EB3C06494B68} Target Server: Target Server Name: win-host-8$ Additional Information: win-host-8$ Process Information: Process ID: 0xa80 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228613 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x212FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228612 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2233D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228611 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2233D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228610 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228609 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228608 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2210F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228607 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2210F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228606 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2210F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228605 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228604 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228603 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x21692 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228602 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x21692 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228601 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x21692 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228600 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228599 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228598 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x212FB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228597 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x212FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228596 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228595 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228594 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2103F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228593 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2103F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228592 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228591 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65974 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {26C1987D-9EEC-EBFF-0BCC-CBF385C99C45} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232439 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {073F97BB-02FC-FC46-AA98-A9A326CAEA42} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49725 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228641 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228640 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228639 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26672 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228638 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26672 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228637 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228636 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228668 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2E095 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228667 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2E095 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228666 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228665 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228664 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DD3F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228663 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DD3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228662 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228661 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228660 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DADF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228659 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DADF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228658 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228657 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228656 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D9BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228655 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22940 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228654 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22BBD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228653 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D9BF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228652 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D9BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228651 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228650 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228649 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D980 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D980 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2D980 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228646 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228645 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228644 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x26672 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228643 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2408A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228642 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x22E0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228676 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3020C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228675 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3020C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228674 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228673 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228672 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2F760 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228671 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2F760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228670 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228669 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228691 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3121D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228690 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DADF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228689 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2DD3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228688 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3121D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228687 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3121D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228686 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228685 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228684 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x311E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228683 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x311E8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228682 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x311E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228681 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228680 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228679 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3020C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228678 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2F760 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228677 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x2E095 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228711 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3347A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3347A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228709 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228708 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228707 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32CD4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228706 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32CD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228705 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228704 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228703 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31907 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228702 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31907 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228701 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228700 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228699 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31640 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228698 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31640 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228697 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228696 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228695 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31269 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228694 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31269 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228693 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228692 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232445 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6562C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232444 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65B09 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232443 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {71167264-9E0A-965E-065A-73BF77FFBB5D} Service Information: Service Name: WIN-HOST-8$ Service ID: ATTACKRANGE\WIN-HOST-8$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 64449 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232442 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 64448 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:44:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232441 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65B09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 64446 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228717 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228716 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228715 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x33762 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228714 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x33762 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {787E10B1-0541-EB42-E24D-583C0EECB268} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228713 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x33762 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228712 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {71167264-9E0A-965E-065A-73BF77FFBB5D} Target Server: Target Server Name: win-host-8$ Additional Information: win-host-8$ Process Information: Process ID: 0xe4c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232448 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x65D4D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232447 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x65D4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61965 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232446 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x65D4D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:44:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232449 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65796 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228722 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x451C1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228721 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x451C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228720 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228719 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228718 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3347A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228748 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x47AF9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228747 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x47AF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228746 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228745 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228744 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x478A8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228743 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x478A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228742 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228741 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228740 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x47596 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228739 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x47596 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228738 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228737 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228736 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4752D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228735 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31640 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228734 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4752D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228733 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4752D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228732 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228731 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228730 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x474FC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228729 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x474FC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228728 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x474FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228727 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228726 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228725 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x451C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228724 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x32CD4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228723 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x31907 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228756 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x49A00 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228755 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x49A00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228754 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228753 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228752 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x48F57 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228751 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x48F57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228750 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228749 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228771 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CDB6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228770 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x47596 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228769 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x478A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228768 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CDB6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228767 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CDB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228766 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228765 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228764 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CD85 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228763 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CD85 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228762 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CD85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228761 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228760 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228759 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x49A00 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228758 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x48F57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228757 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x47AF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228791 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F06D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228790 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F06D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228789 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228788 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228787 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4E6CB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228786 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4E6CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228785 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228784 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228783 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4D296 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228782 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4D296 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228781 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228780 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4D06D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228778 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4D06D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228777 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228776 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228775 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CE09 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228774 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CE09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228773 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228772 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228828 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x50EDC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228827 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x50EDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228826 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228825 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228824 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x50EAB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x50EAB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x50EAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228821 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228820 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228819 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4FA56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228818 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4FA56 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228817 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4FA56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228816 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228815 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228814 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F41F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228813 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F41F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228812 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228811 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228810 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F1BB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228809 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F1BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228808 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228807 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228806 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F171 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228805 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4CE09 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228804 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4D06D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228803 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F171 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228802 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F171 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228801 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228800 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228799 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F13C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228798 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F13C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228797 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F13C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228796 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228795 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228794 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F06D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228793 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4E6CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228792 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4D296 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228840 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x52C78 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228839 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x52C78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228838 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228837 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228836 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x527BC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228835 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x527BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228834 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228833 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228832 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x51571 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228831 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x51571 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228830 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228829 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228871 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x551BB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228870 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x551BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228869 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228868 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228867 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x55182 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228866 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x55182 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228865 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x55182 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228864 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228863 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228862 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x54D42 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228861 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5462D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228860 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x54D42 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228859 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x54D42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228858 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228857 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228856 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5462D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228855 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5462D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228854 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228853 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228852 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x543DB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228851 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x543DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228850 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228849 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228848 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x543AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228847 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x543AA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228846 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x543AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228845 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228844 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228843 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x52C78 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228842 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x527BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228841 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x51571 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228894 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56E20 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228893 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56E20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228892 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228891 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228890 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56B91 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228889 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56B91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228888 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228887 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228886 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56B60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228885 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56B60 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228884 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56B60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228883 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228882 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228881 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x566E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228880 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x55452 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228879 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x566E0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228878 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x566E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228877 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228876 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228875 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x55452 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228874 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x55452 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228873 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228872 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228927 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x59B9C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228926 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x59B9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228925 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228924 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x58734 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228922 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x58734 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228921 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228920 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228919 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x584F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228918 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x584F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228917 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228916 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228915 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x58298 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228914 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x58298 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228913 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228912 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228911 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5824E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228910 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F1BB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228909 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56B91 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228908 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x50EDC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228907 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x551BB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228906 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x543DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228905 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x4F41F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228904 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5824E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228903 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5824E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228902 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228901 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228900 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5821D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228899 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5821D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228898 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5821D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228897 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228896 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228895 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x56E20 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228953 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5AF72 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228952 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5AF72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228951 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228950 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228949 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A579 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228948 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A579 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228947 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228946 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228945 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A317 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228944 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A317 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228943 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228942 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228941 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A2B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228940 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x58298 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228939 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x584F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228938 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A2B1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228937 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A2B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228936 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228935 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228934 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A280 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228933 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A280 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228932 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228931 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228930 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228929 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x59B9C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228928 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x58734 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228971 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5D3FE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228970 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5D3FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228969 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228968 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228967 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5C0F1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228966 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5C0F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228965 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228964 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228963 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5BECF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228962 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5BECF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228961 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228960 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228959 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5BE85 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228958 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5BE85 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228957 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5BE85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228956 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228955 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228954 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5AF72 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229010 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5F1EE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229009 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5F1EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229008 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229007 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229006 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5EFC7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229005 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5EFC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229004 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229003 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229002 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5EF96 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229001 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5EF96 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229000 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5EF96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228999 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228998 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228997 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E8D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228996 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E3D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228995 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E8D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228994 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E8D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228993 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228992 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228991 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E3D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228990 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E3D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228989 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228988 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228987 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E204 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228986 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E204 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228985 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228984 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228983 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E1D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228982 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E1D3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228981 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E1D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228980 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228979 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228978 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5DB17 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228977 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5D3FE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=228976 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5C0F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=228975 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5DB17 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228974 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5DB17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=228973 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=228972 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229029 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60B91 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229028 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60B91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229027 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229026 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229025 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x609B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229024 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x609B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229023 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229022 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229021 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60983 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229020 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60983 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229019 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60983 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229018 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229017 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229016 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60578 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229015 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5F1EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229014 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60578 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229013 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60578 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229012 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229011 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229062 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x63892 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229061 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x63892 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229060 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229059 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229058 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6257A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229057 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6257A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229056 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229055 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229054 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6232B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229053 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6232B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229052 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229051 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229050 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x620CC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229049 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x620CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229048 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229047 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229046 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6207D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229045 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A317 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229044 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5E204 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229043 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5A579 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229042 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5EFC7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229041 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x609B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229040 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x5BECF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229039 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6207D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229038 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6207D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229037 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229036 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229035 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6204C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229034 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6204C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229033 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6204C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229032 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229031 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229030 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x60B91 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229093 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6468C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229092 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6468C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229091 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229090 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229089 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x643F3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229088 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x643F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229087 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229086 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229085 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64194 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229084 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64194 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229083 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229082 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229081 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64130 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229080 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x620CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229079 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6232B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229078 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64130 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229077 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64130 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229076 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229075 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229074 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x640FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229073 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x640FF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229072 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x640FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229071 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229070 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229069 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64094 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229068 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x63892 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229067 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6257A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229066 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64094 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229065 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64094 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229064 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229063 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229112 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6627E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229111 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6627E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229110 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229109 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229108 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x65DC9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229107 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x65DC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229106 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229105 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229104 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x65D98 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229103 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x65D98 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229102 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x65D98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229101 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229100 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229099 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x659AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229098 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6468C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229097 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x659AC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229096 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x659AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229095 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:44:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229094 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229149 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6999C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229148 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6999C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229147 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229146 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229145 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x686D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229144 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x686D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229143 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229142 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229141 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x684B3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229140 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x684B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229139 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229138 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229137 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x68468 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229136 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x68468 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229135 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x68468 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229134 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229133 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229132 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x68175 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229131 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x67925 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229130 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x68175 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229129 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x68175 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229128 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229127 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229126 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x67925 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229125 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x67925 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229124 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229123 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229122 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x676D8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229121 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x676D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229120 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229119 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229118 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x676A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229117 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x676A7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229116 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x676A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229115 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229114 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229113 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6627E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229181 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B54A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229180 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x64194 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229179 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x65DC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229178 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x643F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229177 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x69E77 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229176 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x684B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229175 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x676D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229174 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B54A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229173 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B54A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229172 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229171 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229170 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B519 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229169 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B519 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229168 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B519 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229167 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229166 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229165 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6A2B0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229164 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6A2B0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229163 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6A2B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229162 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229161 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229160 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x69E77 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229159 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x69E77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229158 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229157 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229156 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x69E46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229155 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x69E46 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229154 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x69E46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229153 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229152 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229151 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6999C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229150 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x686D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229197 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6CCF5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229196 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6CCF5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229195 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229194 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229193 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6BA9F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229192 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6BA9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229191 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229190 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229189 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B7F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229188 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B7F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229187 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229186 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229185 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B594 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229184 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B594 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229183 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229182 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229232 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6EE63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229231 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6EE63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229230 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229229 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229228 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6DB0B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229227 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6DB0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229226 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229225 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229224 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D8B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229223 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D8B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229222 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229221 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229220 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D63A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229219 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D63A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229218 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229217 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229216 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D5E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229215 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B594 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229214 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6B7F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229213 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D5E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229212 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D5E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229211 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229210 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229209 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D5B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229208 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D5B1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229207 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D5B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229206 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229205 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229204 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D535 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229203 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6CCF5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229202 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6BA9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229201 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D535 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229200 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D535 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229199 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229198 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229265 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x713FD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229264 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x713FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229263 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229262 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70E0D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70E0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229259 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229258 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229257 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70BE8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229256 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70BE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229255 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229254 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229253 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70BB7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229252 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70BB7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229251 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70BB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229250 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229249 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229248 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F593 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229247 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F593 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229246 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F593 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229245 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229244 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229243 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F2A7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229242 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F2A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229241 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229240 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229239 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F271 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229238 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F271 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229237 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F271 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229236 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229235 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229234 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6EE63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229233 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6DB0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73132 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229283 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73132 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229282 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229281 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229280 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x71BD5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229279 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x71BD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229278 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229277 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229276 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x719B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229275 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x719B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229274 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229273 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229272 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7197E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229271 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7197E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229270 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7197E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229269 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229268 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229267 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x713FD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229266 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70E0D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229328 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74F8A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229327 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74F8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229326 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229325 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229324 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74D84 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229323 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74D84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229322 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229321 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229320 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74B22 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229319 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74B22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229318 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229317 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229316 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74AD8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229315 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D63A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229314 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x70BE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229313 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6F2A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229312 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73398 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229311 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x719B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229310 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6D8B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229309 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74AD8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229308 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74AD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229307 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229306 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229305 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74A8D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229304 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74A8D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229303 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74A8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229302 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229301 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229300 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73627 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229299 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73627 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229298 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73627 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229297 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229296 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229295 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73398 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229294 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73398 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229293 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229292 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229291 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73367 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229290 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73367 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229289 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73367 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229288 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229287 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229286 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x73132 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229285 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x71BD5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229355 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76BB2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229354 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76BB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229353 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229352 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229351 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76B68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229350 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74B22 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229349 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74D84 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229348 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76B68 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229347 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76B68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229346 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229345 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229344 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76B37 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229343 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76B37 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229342 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76B37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229341 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229340 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229339 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76AB9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229338 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x762AE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229337 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x74F8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229336 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76AB9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229335 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76AB9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229334 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229333 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229332 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x762AE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229331 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x762AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229330 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229329 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229382 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x78A5F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229381 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x78A5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229380 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229379 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229378 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7883D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229377 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7883D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229376 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229375 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229374 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7880C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229373 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7880C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229372 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7880C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229371 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229370 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229369 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x78348 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229368 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x770BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229367 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x78348 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229366 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x78348 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229365 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229364 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229363 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x770BC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229362 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x770BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229361 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229360 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229359 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76E11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229358 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76E11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229357 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229356 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229415 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7B1C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229414 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7B1C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229413 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229412 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229411 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AF2A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229410 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AF2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229409 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229408 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229407 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AEF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229406 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AEF9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229405 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AEF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229404 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229403 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229402 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AA2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229401 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A42F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229400 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AA2E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229399 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AA2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229398 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229397 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229396 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A42F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229395 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A42F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229394 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229393 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229392 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A158 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229391 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A158 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229390 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229389 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229388 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A127 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229387 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A127 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229386 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A127 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229385 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229384 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229383 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x78A5F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229434 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CE07 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229433 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CE07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229432 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229431 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229430 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CC3B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229429 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CC3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229428 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229427 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229426 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CB8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229425 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CB8C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229424 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CB8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229423 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229422 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229421 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7C45E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229420 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7B1C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229419 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7C45E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229418 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7C45E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229417 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229416 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229467 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7FB30 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229466 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7FB30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229465 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229464 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229463 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E7EC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229462 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E7EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229461 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229460 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229459 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E5C3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229458 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E5C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229457 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229456 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229455 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E360 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229454 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E360 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229453 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229452 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229451 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E2F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229450 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76BB2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229449 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7883D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229448 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x76E11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229447 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CC3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229446 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7AF2A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229445 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7A158 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229444 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E2F2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229443 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E2F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229442 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229441 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229440 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E2B8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229439 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E2B8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229438 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E2B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229437 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229436 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229435 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7CE07 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x81BBE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x81BBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229495 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229494 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229493 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x808E3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x808E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229491 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229490 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229489 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8068B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229488 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8068B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229487 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229486 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229485 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x80401 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229484 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x80401 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229483 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229482 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229481 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8039F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229480 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E360 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229479 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E5C3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229478 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8039F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229477 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8039F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229476 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229475 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229474 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x80361 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229473 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x80361 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x80361 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229471 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229470 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229469 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7FB30 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229468 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x7E7EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229517 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x83979 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229516 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x83979 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229515 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229514 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229513 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82285 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229512 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82285 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229511 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82285 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229510 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229509 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229508 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82067 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229507 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82067 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229506 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229505 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229504 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82034 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229503 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82034 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82034 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229501 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229500 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229499 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x81BBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229498 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x808E3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229549 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x85CA9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229548 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x85CA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229547 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229546 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229545 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x84979 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229544 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x84979 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229543 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229542 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229541 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x84774 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229540 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x84774 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229539 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229538 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229537 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8473E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8473E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8473E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229534 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229533 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229532 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8424F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229531 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x83BEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229530 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8424F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8424F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229528 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229527 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229526 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x83BEE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229525 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x83BEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229524 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229523 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229522 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x839AF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229521 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x839AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229520 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229519 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229518 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x83979 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229581 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87837 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229580 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x80401 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229579 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86162 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229578 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x84774 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229577 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x839AF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229576 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x82067 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229575 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8068B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229574 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87837 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229573 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87837 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229572 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229571 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229570 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87806 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229569 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87806 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229568 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87806 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229567 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229566 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229565 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86383 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229564 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86383 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229563 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86383 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229562 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229561 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229560 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86162 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229559 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86162 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229558 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229557 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229556 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86131 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229555 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86131 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229554 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x86131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229553 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229552 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229551 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x85CA9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229550 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x84979 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232450 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x648F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229597 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x89006 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229596 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x89006 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229595 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229594 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229593 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87CC8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229592 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87CC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229591 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229590 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229589 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87AE7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229588 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87AE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229587 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229586 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229585 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87888 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229584 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87888 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229583 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229582 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229601 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8987D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229600 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8987D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229599 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229598 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8C435 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229631 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8C435 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229630 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229629 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229628 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8B114 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229627 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8B114 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229626 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229625 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229624 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8AEC3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229623 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8AEC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229622 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229621 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229620 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8AC47 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229619 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8AC47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229618 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229617 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229616 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ABF9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229615 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87888 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229614 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87AE7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229613 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ABF9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229612 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ABF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229611 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229610 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229609 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ABC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229608 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ABC8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229607 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ABC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229606 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229605 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229604 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8987D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229603 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x89006 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229602 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x87CC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229636 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8CC0C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229635 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8CC0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229634 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229633 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229663 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8F1E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229662 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8F1E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229661 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229660 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229659 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EFF7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229658 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EFF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229657 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229656 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229655 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ECE8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229654 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ECE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229653 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229652 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229651 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EC7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229650 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8AC47 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229649 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8AEC3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EC7F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EC7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229646 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229645 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229644 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EC46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229643 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EC46 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229642 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EC46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229641 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229640 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229639 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8CC0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229638 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8C435 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229637 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8B114 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229687 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90EDE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229686 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90EDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229685 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229684 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229683 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90C97 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229682 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90C97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229681 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229680 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229679 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90C61 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229678 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90C61 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229677 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90C61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229676 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229675 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229674 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90BE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229673 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90570 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229672 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8F1E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229671 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90BE6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229670 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90BE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229669 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229668 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229667 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90570 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229666 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90570 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229665 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229664 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229724 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94977 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229723 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94977 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229722 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229721 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229720 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x935C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229719 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x935C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229718 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229717 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229716 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9337D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229715 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9337D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229714 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229713 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229712 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x93348 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229711 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x93348 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x93348 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229709 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229708 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229707 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x92C2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229706 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x92794 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229705 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x92C2E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229704 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x92C2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229703 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229702 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229701 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x92794 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229700 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x92794 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229699 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229698 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229697 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x925B4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229696 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x925B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229695 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229694 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229693 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9257E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229692 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9257E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229691 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9257E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229690 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229689 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229688 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90EDE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229756 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96466 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229755 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8ECE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229754 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x90C97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229753 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9337D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229752 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x925B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229751 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94D8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229750 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x8EFF7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229749 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96466 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229748 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96466 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229747 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229746 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229745 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96435 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229744 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96435 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229743 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96435 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229742 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229741 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229740 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x95067 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229739 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x95067 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229738 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x95067 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229737 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229736 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229735 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94D8C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229734 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94D8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229733 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229732 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229731 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94D5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229730 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94D5B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229729 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94D5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229728 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229727 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229726 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x94977 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229725 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x935C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229772 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x97D45 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229771 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x97D45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229770 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229769 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229768 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96F9D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229767 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96F9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229766 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229765 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229764 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96715 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229763 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96715 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229762 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229761 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229760 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x964B6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229759 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x964B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229758 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229757 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x98B97 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x98B97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229773 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229807 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9CE63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229806 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9CE63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229805 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229804 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229803 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9BB12 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229802 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9BB12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229801 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229800 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229799 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B8E8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229798 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B8E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229797 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229796 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229795 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B689 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229794 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B689 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229793 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229792 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229791 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B63F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229790 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x964B6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229789 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96715 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229788 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B63F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229787 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B63F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229786 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229785 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229784 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B60E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229783 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B60E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229782 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B60E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229781 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229780 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229779 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x98B97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229778 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x97D45 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x96F9D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229811 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9D607 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229810 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9D607 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229809 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229808 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232453 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x674C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232452 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x674C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61977 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232451 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x674C1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:45:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232457 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65712 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232456 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x656E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232455 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x656BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232454 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6568A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229838 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA51C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229837 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA51C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229836 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229835 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229834 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4F88 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229833 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4F88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229832 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229831 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229830 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4D26 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229829 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4D26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229828 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229827 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229826 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4C5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229825 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B689 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229824 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9B8E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4C5B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4C5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229821 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229820 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229819 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4B85 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229818 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4B85 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229817 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4B85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229816 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229815 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229814 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9D607 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229813 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9CE63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229812 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x9BB12 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229856 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA7F0F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229855 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA7F0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229854 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229853 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229852 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA6C9B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229851 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA6C9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229850 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229849 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229848 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA69F0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229847 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA69F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229846 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229845 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229844 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA699E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229843 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA699E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229842 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA699E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229841 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229840 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229839 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA51C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229895 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9F2E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229894 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9F2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229893 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229892 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229891 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9D4F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229890 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9D4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229889 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229888 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229887 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9D1E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229886 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9D1E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229885 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9D1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229884 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229883 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229882 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9995 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229881 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA923B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229880 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9995 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229879 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9995 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229878 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229877 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229876 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA923B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229875 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA923B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229874 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229873 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229872 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8F4E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229871 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8F4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229870 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229869 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229868 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8F1D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229867 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8F1D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229866 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8F1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229865 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229864 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229863 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8746 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229862 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA7F0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229861 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA6C9B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229860 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8746 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229859 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8746 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229858 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229857 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229914 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAC234 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229913 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAC234 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229912 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229911 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229910 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB98D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229909 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB98D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229908 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229907 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229906 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB929 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229905 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB929 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229904 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB929 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229903 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229902 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229901 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB616 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229900 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9F2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229899 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB616 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229898 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB616 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229897 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229896 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229947 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAE955 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229946 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAE955 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229945 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229944 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229943 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD791 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229942 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD791 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229941 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229940 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229939 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD430 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229938 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD430 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229937 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229936 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229935 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD1C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229934 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD1C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229933 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229932 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229931 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD058 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229930 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4D26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229929 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAB98D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229928 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA69F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229927 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA8F4E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229926 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA9D4F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229925 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xA4F88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229924 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD058 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229923 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD058 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229922 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229921 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229920 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD027 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229919 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD027 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229918 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD027 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229917 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229916 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAC234 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229954 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD1C9 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: WIN-HOST-8 Process Information: Process ID: 0xbe8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229953 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD1C9 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: WIN-HOST-8 Process Information: Process ID: 0xbe8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=229952 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD1C9 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Process Information: Process ID: 0xbe8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229951 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAF254 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229950 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAF254 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229949 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229948 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232458 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6840B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AD3D21AC-11C2-F528-02DB-259865D43A35} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 64456 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229985 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB4076 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229984 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB4076 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229983 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229982 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229981 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB2BE6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229980 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB2BE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229979 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229978 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229977 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB2969 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229976 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB2969 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229975 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229974 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229973 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB26B7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229972 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB26B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229971 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229970 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229969 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB230D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229968 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD1C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229967 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD430 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229966 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB230D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229965 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB230D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229964 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229963 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229962 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB1EE4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229961 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB1EE4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229960 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB1EE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229959 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229958 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229957 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAF254 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229956 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAE955 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229955 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xAD791 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229989 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB495B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229988 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB495B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229987 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229986 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230015 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB7DCA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230014 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB7DCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230013 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230012 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230011 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB753B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230010 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB753B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230009 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230008 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230007 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB72DC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230006 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB72DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230005 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230004 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230003 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB70E1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230002 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB2969 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230001 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB70E1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230000 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB70E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229999 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229998 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229997 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB6CFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=229996 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB6CFB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229995 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB6CFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=229994 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=229993 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229992 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB495B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229991 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB4076 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=229990 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB2BE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230033 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBA387 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230032 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBA387 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230031 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230030 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230029 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB910D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230028 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB910D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230027 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230026 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230025 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB8E64 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230024 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB8E64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230023 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230022 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230021 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB8E33 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230020 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB8E33 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230019 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB8E33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230018 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230017 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230016 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB7DCA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230063 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBF3D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230062 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBF3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230061 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230060 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230059 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBADF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230058 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB50A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230057 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBADF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230056 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBADF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230055 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230054 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230053 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB50A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230052 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB50A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230051 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230050 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230049 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB18A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230048 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB18A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230047 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230046 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230045 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB151 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230044 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB151 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230043 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB151 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230042 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230041 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230040 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBABBC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230039 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBA387 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230038 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB910D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230037 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBABBC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230036 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBABBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230035 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230034 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230091 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBDB7B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230090 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBDB7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230089 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230088 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230087 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD955 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230086 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD955 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230085 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230084 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230083 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD924 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230082 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD924 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230081 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD924 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230080 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230079 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230078 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD497 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230077 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBC205 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230076 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD497 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230075 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD497 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230074 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230073 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230072 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBC205 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230071 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBC205 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230070 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230069 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230068 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBF70 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230067 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBF70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230066 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230065 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230064 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBF3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230124 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC080A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230123 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC080A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230122 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230121 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230120 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBFC13 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230119 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBFC13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230118 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230117 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230116 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF2C4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230115 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF2C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230114 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230113 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230112 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF062 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230111 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF062 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230110 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230109 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230108 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF016 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230107 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB72DC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230106 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBB18A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230105 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB8E64 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230104 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBBF70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230103 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBD955 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230102 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xB753B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230101 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF016 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230100 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF016 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230099 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230098 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230097 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBEFE5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230096 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBEFE5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230095 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBEFE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230094 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230093 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230092 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBDB7B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=230131 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF062 User: Security ID: WIN-HOST-8\Guest Account Name: Guest Account Domain: WIN-HOST-8 Process Information: Process ID: 0xd88 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:45:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=230130 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF062 User: Security ID: WIN-HOST-8\DefaultAccount Account Name: DefaultAccount Account Domain: WIN-HOST-8 Process Information: Process ID: 0xd88 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:45:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=230129 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF062 User: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Process Information: Process ID: 0xd88 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11/09/2020 11:45:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230128 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC0E12 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230127 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC0E12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230126 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230125 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230162 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC30B1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230161 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC30B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230160 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230159 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230158 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC1B40 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230157 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC1B40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230156 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230155 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230154 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC1919 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230153 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC1919 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230152 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230151 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230150 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC16BA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230149 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC16BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230148 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230147 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230146 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC165C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230145 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF062 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230144 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBF2C4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230143 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC165C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230142 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC165C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230141 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230140 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230139 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC162B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230138 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC162B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230137 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC162B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230136 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230135 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230134 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC0E12 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230133 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC080A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:55 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230132 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xBFC13 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230166 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC36CD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230165 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC36CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230164 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230163 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232460 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x64147 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232459 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x640DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230197 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC768E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230196 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC768E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230195 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230194 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230193 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC6131 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230192 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC6131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230191 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230190 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230189 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5F1F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230188 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5F1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230187 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230186 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230185 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5CBB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230184 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5CBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230183 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230182 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230181 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5AC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230180 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC16BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230179 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC1919 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230178 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5AC9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230177 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5AC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230176 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230175 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230174 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC58A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230173 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC58A5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230172 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC58A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230171 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230170 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230169 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC36CD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230168 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC30B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230167 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC1B40 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230221 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCA6B1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230220 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCA6B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230219 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230218 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230217 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC93A7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230216 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC93A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230215 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230214 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230213 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC918D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230212 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC918D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230211 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230210 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230209 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC914D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230208 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC914D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230207 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC914D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230206 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230205 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230204 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC90E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230203 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC768E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230202 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC6131 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230201 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC90E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230200 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC90E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230199 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230198 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230257 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCC9C5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230256 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCC9C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230255 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230254 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230253 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCB446 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230252 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCB446 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230251 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230250 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230249 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCB21D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230248 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCB21D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230247 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230246 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230245 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAFBE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230244 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAFBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230243 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230242 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230241 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAF74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230240 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5CBB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230239 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC5F1F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230238 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC918D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230237 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAF74 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230236 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAF74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230235 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230234 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230233 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAF3F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230232 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAF3F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230231 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAF3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230230 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230229 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230228 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAED6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230227 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCA6B1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230226 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xC93A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230225 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAED6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230224 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAED6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230223 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:45:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230222 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230274 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCB21D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230273 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD542 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230272 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD542 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230271 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230270 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230269 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD511 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230268 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD511 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230267 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD511 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230266 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230265 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230264 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCCEE9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230263 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCC9C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230262 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCB446 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCCEE9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCCEE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230259 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230258 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230292 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCED19 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230291 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCED19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230290 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230289 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230288 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCDA08 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230287 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCDA08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230286 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230285 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD7EF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230283 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD7EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230282 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230281 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230280 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD590 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230279 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD590 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230278 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230277 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230276 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD542 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230275 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCAFBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230311 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF97F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230310 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD590 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230309 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCD7EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF97F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF97F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230306 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230305 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230304 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF94E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230303 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF94E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230302 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF94E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230301 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230300 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230299 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF5D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230298 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCED19 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230297 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCDA08 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230296 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF5D8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230295 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCF5D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230294 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230293 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230327 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD12E6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230326 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD12E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230325 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230324 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230323 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFFC0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230322 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFFC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230321 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230320 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230319 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFDB6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230318 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFDB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230317 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230316 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230315 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFB57 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230314 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFB57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230313 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230312 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230362 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD350B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230361 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD350B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230360 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230359 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230358 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD25C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230357 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD25C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230356 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230355 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230354 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1D3A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230353 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1D3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230352 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230351 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230350 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1AD1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230349 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1AD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230348 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230347 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230346 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD19D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230345 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFB57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230344 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFDB6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230343 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD19D4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230342 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD19D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230341 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230340 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230339 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1986 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230338 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1986 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230337 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1986 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230336 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230335 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230334 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1866 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230333 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD12E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230332 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xCFFC0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230331 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1866 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230330 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1866 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230329 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230328 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230388 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD4310 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230387 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD4310 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230386 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230385 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230384 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3AB0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230383 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3AB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230382 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230381 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230380 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3851 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230379 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3851 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230378 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230377 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230376 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3802 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230375 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1AD1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230374 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD1D3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230373 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3802 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230372 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3802 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230371 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230370 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230369 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD37D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230368 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD37D1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230367 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD37D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230366 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230365 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230364 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD350B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230363 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD25C2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230406 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD6B95 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230405 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD6B95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230404 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230403 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230402 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD5E75 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230401 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD5E75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230400 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230399 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230398 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD53FF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230397 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD53FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230396 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230395 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230394 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD53C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230393 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD53C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230392 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD53C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230391 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230390 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230389 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD4310 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230431 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD84E1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230430 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD84E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230429 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230428 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230427 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD796E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230426 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD796E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230425 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD796E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230424 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230423 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230422 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD775B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230421 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD775B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230420 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230419 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230418 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD772A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230417 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD772A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230416 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD772A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230415 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230414 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230413 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD7054 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230412 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD6B95 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230411 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD5E75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230410 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD7054 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230409 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD7054 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230408 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230407 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230464 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDA15F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230463 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDA15F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230462 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230461 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230460 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9F79 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230459 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9F79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230458 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230457 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230456 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9F48 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230455 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9F48 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230454 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9F48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230453 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230452 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230451 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9B74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230450 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD876C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230449 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9B74 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230448 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9B74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230447 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230446 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230445 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD876C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230444 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD876C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230443 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230442 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230441 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD854B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230440 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD854B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230439 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230438 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230437 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD851A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230436 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD851A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230435 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD851A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230434 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230433 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230432 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD84E1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDCE59 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDCE59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230495 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230494 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230493 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDBD65 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDBD65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230491 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230490 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230489 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB8E5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230488 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB8E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230487 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230486 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230485 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB686 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230484 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB686 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230483 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230482 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230481 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB637 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230480 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3851 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230479 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD775B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230478 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD53FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230477 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD3AB0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230476 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD9F79 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230475 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xD854B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230474 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB637 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230473 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB637 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230472 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230471 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230470 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB606 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230469 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB606 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230468 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB606 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230467 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230466 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230465 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDA15F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230501 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDD731 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230500 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDD731 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230499 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230498 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230532 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE4595 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230531 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE4595 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230530 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230529 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230528 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE35A4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230527 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE35A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230526 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230525 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230524 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE2C4F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230523 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE2C4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230522 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230521 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230520 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE2968 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230519 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE2968 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230518 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230517 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230516 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE28CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230515 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB686 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230514 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDB8E5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230513 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE28CA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230512 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE28CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230511 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230510 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230509 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE27D9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230508 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE27D9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230507 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE27D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230506 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230505 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230504 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDD731 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230503 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDCE59 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230502 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xDBD65 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230551 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE656E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230550 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE2968 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230549 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE2C4F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230548 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE656E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230547 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE656E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230546 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230545 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230544 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6535 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230543 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6535 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230542 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6535 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230541 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230540 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230539 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE5AB5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230538 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE4595 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230537 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE35A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE5AB5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE5AB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230534 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230533 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230567 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8272 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230566 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8272 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230565 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230564 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230563 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6BC2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230562 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6BC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230561 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230560 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230559 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6910 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230558 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6910 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230557 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230556 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230555 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE65E7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230554 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE65E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230553 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230552 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230590 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8EAB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230589 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8EAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230588 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230587 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230586 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8E1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230585 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE65E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230584 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6910 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230583 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8E1A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230582 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8E1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230581 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230580 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230579 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8DE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230578 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8DE1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230577 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8DE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230576 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230575 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230574 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8C56 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230573 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8272 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230572 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE6BC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230571 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8C56 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230570 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8C56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230569 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230568 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230606 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEB865 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230605 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEB865 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230604 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230603 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230602 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEAB69 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230601 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEAB69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230600 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230599 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230598 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE9443 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230597 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE9443 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230596 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230595 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230594 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE9184 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230593 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE9184 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230592 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230591 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230638 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xECEFA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230637 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xECEFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230636 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230635 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230634 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEC137 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230633 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEC137 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230632 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEC137 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230631 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230630 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230629 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBE1E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230628 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBE1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230627 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230626 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230625 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBB3C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230624 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBB3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230623 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230622 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230621 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBA8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230620 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE8EAB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230619 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE9184 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230618 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBA8C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230617 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBA8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230616 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230615 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230614 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBA53 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230613 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBA53 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230612 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEBA53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230611 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230610 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230609 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEB865 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230608 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEAB69 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230607 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xE9443 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230670 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEFE41 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230669 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEFE41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230668 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230667 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230666 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEF011 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230665 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEF011 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230664 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEF011 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230663 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230662 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230661 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEED1F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230660 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEED1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230659 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230658 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230657 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEEA49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230656 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEEA49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230655 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230654 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230653 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEE9F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230652 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEE9F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230651 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xEE9F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230650 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230649 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230648 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xED550 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230647 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xED550 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230646 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xED550 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230645 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230644 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230643 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xECF4F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230642 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xECF4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230641 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230640 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:46:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230639 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0xECEFA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=230672 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x454 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎11‎-‎09T11:46:20.532823200Z New Time: ‎2020‎-‎11‎-‎09T11:46:20.532000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11/09/2020 11:46:20 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Service shutdown OpCode=Info RecordNumber=230671 Keywords=Audit Success Message=The event logging service has shut down. 11/09/2020 11:46:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232461 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6840B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232464 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6AF31 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232463 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6AF31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 61991 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232462 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6AF31 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:46:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230675 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230674 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=230673 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230685 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security State Change OpCode=Info RecordNumber=230684 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230683 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x360 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2d0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230682 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2d0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230681 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x314 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230680 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230679 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x280 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230678 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230677 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x288 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x280 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=230676 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230713 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x158C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230712 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230711 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=230710 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=230709 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230708 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230707 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=230706 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=230705 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230704 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230703 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230702 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230701 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230700 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230699 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB03B Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230698 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB019 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230697 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB03B Linked Logon ID: 0xB019 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230696 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB019 Linked Logon ID: 0xB03B Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230695 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230694 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230693 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230692 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230691 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230690 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230689 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230688 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230687 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=230686 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5F89 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232481 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6BFE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49696 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232480 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C59149E9-D37D-DE9E-3361-7E80E8898BB2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49697 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232479 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6BFA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49691 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232478 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C59149E9-D37D-DE9E-3361-7E80E8898BB2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49692 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232477 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6BF8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49675 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232476 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6BF76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49675 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232475 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6BF64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49668 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232474 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C59149E9-D37D-DE9E-3361-7E80E8898BB2} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49690 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232473 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C59149E9-D37D-DE9E-3361-7E80E8898BB2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49688 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232472 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6BF35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49681 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232471 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6BF36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49678 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232470 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C59149E9-D37D-DE9E-3361-7E80E8898BB2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49686 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232469 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {C59149E9-D37D-DE9E-3361-7E80E8898BB2} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49687 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232468 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49685 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232467 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49684 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232466 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49680 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:46:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232465 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49677 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230716 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1E17C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {671DF408-80AC-7723-AAF1-EC83ECBE2547} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230715 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1E17C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230714 Keywords=Audit Success Message=The Windows Firewall service started successfully. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232494 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6C027 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232493 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6C03B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232492 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6C0A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6069C5D1-2239-6832-7119-FC28328185C5} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49668 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232491 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD6B07E-1116-02DB-0C1C-FDB3DF462F6B} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49718 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232490 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD6B07E-1116-02DB-0C1C-FDB3DF462F6B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49717 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6C03B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49715 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232488 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD6B07E-1116-02DB-0C1C-FDB3DF462F6B} Service Information: Service Name: WIN-HOST-8$ Service ID: ATTACKRANGE\WIN-HOST-8$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49714 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232487 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6C027 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49713 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232486 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6C010 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232485 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6C010 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6069C5D1-2239-6832-7119-FC28328185C5} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49666 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232484 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8DD6B07E-1116-02DB-0C1C-FDB3DF462F6B} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49712 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232483 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49711 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:46:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232482 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6BF36 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230720 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1F504 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230719 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1F504 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {671DF408-80AC-7723-AAF1-EC83ECBE2547} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:46:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230718 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1F504 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230717 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x1E17C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:46:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230722 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:46:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230721 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230741 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38F49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230740 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38F49 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230739 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x38F49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230738 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230737 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230736 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x380E2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230735 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x380E2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230734 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x380E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230733 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230732 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230731 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37DE0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230730 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x37DE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230729 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230728 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=230727 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230726 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3715C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230725 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3715C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230724 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230723 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230766 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3A4D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230765 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39066 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230764 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3940A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230763 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3A4D0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230762 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3A4D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230761 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230760 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230759 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3A43A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230758 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3A43A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230757 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3A43A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230756 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230755 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230754 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39750 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230753 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39750 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230752 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39750 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230751 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230750 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230749 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3940A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230748 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x3940A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230747 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230746 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230745 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39066 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230744 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x39066 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230743 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4c8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230742 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230770 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3A9AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230769 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x3A9AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D8742D16-0F51-DC86-B5B9-418ED5ADDECD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230768 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3A9AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230767 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6B9AF637-95DB-6F8B-D7E2-48EB1AD4DC5B} Target Server: Target Server Name: win-host-8$ Additional Information: win-host-8$ Process Information: Process ID: 0xe24 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232499 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6BF64 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232498 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6C2C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232497 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-8$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {6B9AF637-95DB-6F8B-D7E2-48EB1AD4DC5B} Service Information: Service Name: WIN-HOST-8$ Service ID: ATTACKRANGE\WIN-HOST-8$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49729 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232496 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-HOST-8$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-HOST-8$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49728 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:47:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232495 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6C2C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49726 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232500 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6C3C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49731 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232501 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6C0A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232504 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6C8FD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232503 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6C8FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62003 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232502 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6C8FD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:47:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232505 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x65974 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:47:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232508 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x6DAD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {46CE51B2-1129-8D27-C87F-BB79CA75EC93} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62009 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:47:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232507 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6DAD0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:47:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232506 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {B462C64C-2CB9-F1FD-3522-684DF02DB707} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:48:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232511 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70397 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232510 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x70397 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232509 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: Error Code: 0x0 11/09/2020 11:48:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232517 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:48:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232516 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232515 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x74D5D Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:48:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232514 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x74D8B Linked Logon ID: 0x74D5D Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1260 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232513 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x74D5D Linked Logon ID: 0x74D8B Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1260 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232512 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1260 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232525 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x82546 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232524 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x82546 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62015 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232523 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x82546 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232522 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232521 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8322D77C-FA06-C9B9-2B40-C98130EFC632} Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-259 Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232520 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: ATTACKRANGE Logon GUID: {8322D77C-FA06-C9B9-2B40-C98130EFC632} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 95.90.199.65 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232519 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8322D77C-FA06-C9B9-2B40-C98130EFC632} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:48:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232518 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Administrator Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\Administrator Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232537 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x87844 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232536 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x87892 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x87A04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62019 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232534 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x87A04 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232533 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x87892 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62025 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232532 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x87892 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232531 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x87844 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232530 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x87844 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x8774E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62024 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232528 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8774E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232527 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber gPCMachineExtensionNames groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 11:48:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232526 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber gPCMachineExtensionNames groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232559 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8B7C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232558 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BEDB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232557 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BF01 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232556 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x8BF01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2EF72B82-8C40-0FEC-BF45-895CB5FCEE72} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232555 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BF01 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232554 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {05AEEDE6-FE37-D75A-F4FC-FD2DE1399C42} Target Server: Target Server Name: win-dc-259$ Additional Information: win-dc-259$ Process Information: Process ID: 0x105c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232553 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {05AEEDE6-FE37-D75A-F4FC-FD2DE1399C42} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232552 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232551 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x8BEDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62028 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232550 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BEDB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232549 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BD93 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232548 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BDFA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232547 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x8BDFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2EF72B82-8C40-0FEC-BF45-895CB5FCEE72} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232546 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BDFA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232545 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {05AEEDE6-FE37-D75A-F4FC-FD2DE1399C42} Target Server: Target Server Name: win-dc-259$ Additional Information: win-dc-259$ Process Information: Process ID: 0x105c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232544 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {05AEEDE6-FE37-D75A-F4FC-FD2DE1399C42} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232543 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232542 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x8BD93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62027 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232541 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8BD93 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232540 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x8B7C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62026 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232539 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8B7C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232538 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x8774E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232564 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:48:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232563 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232562 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:48:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232561 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232560 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x6DAD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232588 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Administrator@attackrange.local Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232587 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Administrator@attackrange.local Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232586 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Administrator@attackrange.local Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232585 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Administrator@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232584 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Administrator@attackrange.local Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\d4ca5289cf34fcb2bfb55faebd03c63e_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232583 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Administrator@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232582 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Administrator@attackrange.local Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\d4ca5289cf34fcb2bfb55faebd03c63e_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Write persisted key to file. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232581 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Administrator@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232580 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Administrator@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232579 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Administrator@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232578 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232577 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232576 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232575 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232574 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232573 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232572 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_34ca4ca7-a721-48b1-9db0-17df5a4229a7 Operation: Write persisted key to file. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232571 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232570 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8 Operation: Delete key file. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232569 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232568 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232567 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232566 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:48:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232565 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:48:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232591 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6BF8F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232590 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6BF76 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232589 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x87A04 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232594 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xBE225 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232593 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xBE225 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62034 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232592 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xBE225 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232600 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xBE3FE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232599 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xBE3FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62037 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232598 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xBE3FE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232597 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xBE392 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:48:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232596 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xBE392 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62036 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:48:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232595 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0xBE392 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=232602 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:48:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=232601 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:49:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232603 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6C3C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:49:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232604 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1088DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49747 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:49:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232607 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x109949 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:49:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232606 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x109949 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62068 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:49:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232605 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x109949 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:49:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232608 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6BF35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:49:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232610 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6BFE5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:49:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232609 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x6BFA8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:50:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232613 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x13FDF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:50:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232612 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x13FDF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62091 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232611 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x13FDF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232621 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x210 User Account Control: 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232620 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Member: Security ID: ATTACKRANGE\paba Account Name: CN=Patrick Bareiss,CN=Users,DC=attackrange,DC=local Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232619 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4722 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232618 Keywords=Audit Success Message=A user account was enabled. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232617 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x10 User Account Control: Account Enabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232616 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232615 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 11/9/2020 11:50:32 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:50:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4720 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232614 Keywords=Audit Success Message=A user account was created. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 New Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Attributes: SAM Account Name: paba Display Name: Patrick Bareiss User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: Account Expires: Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x11 User Account Control: Account Disabled 'Normal Account' - Enabled User Parameters: - SID History: - Logon Hours: Additional Information: Privileges - 11/09/2020 11:50:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230773 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6488A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230772 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6488A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:50:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230771 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: Error Code: 0x0 11/09/2020 11:50:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230780 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:50:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230779 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230778 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x6810B Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 11:50:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230777 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x680E6 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 11:50:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230776 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x6810B Linked Logon ID: 0x680E6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x680E6 Linked Logon ID: 0x6810B Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:50:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230784 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x72E15 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:50:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230783 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x72E15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230782 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-HOST-8 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 95.90.199.65 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 11:50:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=230781 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-HOST-8 Error Code: 0x0 11/09/2020 11:50:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230786 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:50:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230785 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230788 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 11:50:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230787 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:50:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230793 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 11:50:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230792 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:50:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230791 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:50:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230790 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:50:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230789 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:50:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230799 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:50:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230798 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:50:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230797 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:50:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230796 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:50:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230795 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:50:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230794 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:50:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230803 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:50:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230802 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:50:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230801 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 11:50:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230800 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 11:51:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230804 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: WIN-HOST-8\Administrator Account Name: Administrator Account Domain: WIN-HOST-8 Logon ID: 0x6488A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:51:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232622 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: paba Source Workstation: Error Code: 0x0 11/09/2020 11:51:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230805 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0xCC9F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:51:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232625 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x15E1B4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:51:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232624 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x15E1B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62105 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:51:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232623 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x15E1B4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:51:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232627 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Member: Security ID: ATTACKRANGE\paba Account Name: CN=Patrick Bareiss,CN=Users,DC=attackrange,DC=local Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 11:51:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232626 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:51:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232628 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: paba Source Workstation: Error Code: 0x0 11/09/2020 11:51:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230806 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0xD2C8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:52:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232631 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x181251 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:52:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232630 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x181251 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62119 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:52:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232629 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x181251 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:52:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230807 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0xCC9F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232642 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D6BA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232641 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D7A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232640 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D7F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232639 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x18D867 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62130 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232638 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D867 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232637 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x18D7F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232636 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D7F1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232635 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x18D7A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232634 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D7A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232633 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x18D6BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232632 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D6BA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232660 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Read-only Domain Controllers Group Name: Read-only Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232659 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Controllers Group Name: Domain Controllers Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232658 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\krbtgt Account Name: krbtgt Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232657 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232656 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Account Operators Group Name: Account Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232655 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Server Operators Group Name: Server Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232654 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232653 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232652 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232651 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Enterprise Admins Group Name: Enterprise Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232650 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4755 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232649 Keywords=Audit Success Message=A security-enabled universal group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Schema Admins Group Name: Schema Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232648 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232647 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3E6 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: - 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232645 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x18E946 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A2AC228E-D30D-5F88-60E3-A36D0CD7294B} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62132 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232644 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18E946 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232643 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {85B5DED5-DFBF-DEFB-C349-E9188DEA5817} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 11:53:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232664 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18D867 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232663 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18FAD1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232662 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x18FAD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62134 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232661 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x18FAD1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230808 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0xD2C8E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232667 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x197777 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232666 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x197777 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62145 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232665 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x197777 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232673 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x198BDB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232672 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x198BDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62148 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232671 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x198BDB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232670 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x198B6F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232669 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x198B6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62147 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232668 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x198B6F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232675 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1A57E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62153 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232674 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A57E9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232689 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A8CF6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232688 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1A8CF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62158 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232687 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A8CF6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232686 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A82AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232685 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A83CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232684 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A8439 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232683 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1A8917 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62150 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232682 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A8917 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1A8439 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62155 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232680 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A8439 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232679 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1A83CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232678 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A83CB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232677 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1A82AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62154 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232676 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A82AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:53:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232690 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A8917 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:54:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230809 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0xD758D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:54:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232691 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: paba Source Workstation: Error Code: 0x0 11/09/2020 11:54:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232694 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1CF89A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:54:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232693 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1CF89A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62169 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:54:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232692 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1CF89A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:55:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232695 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4F68C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:55:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232696 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1A57E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:55:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232699 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1F8BF7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:55:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232698 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1F8BF7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62181 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:55:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232697 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x1F8BF7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:55:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230810 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0xD758D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:56:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232702 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2413D4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:56:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232701 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2413D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62193 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:56:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232700 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2413D4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:57:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232705 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x242A82 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:57:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232704 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x242A82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62205 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:57:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232703 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x242A82 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:57:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232707 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x243D2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {46CE51B2-1129-8D27-C87F-BB79CA75EC93} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62211 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:57:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232706 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x243D2F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232708 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x243D2F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232711 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2445F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232710 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2445F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62218 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232709 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2445F8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232717 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2447E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:58:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232716 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2447E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62222 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:58:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232715 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2447E8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232714 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24477C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:58:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232713 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x24477C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62221 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:58:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232712 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24477C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232728 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24572E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232727 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24581C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232726 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x245862 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232725 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2458D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62227 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232724 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2458D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232723 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x245862 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62226 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232722 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x245862 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232721 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x24581C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232720 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24581C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232719 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x24572E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62225 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:58:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232718 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24572E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 11:58:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232729 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2458D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:59:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232732 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24FA9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 11:59:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232731 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x24FA9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62253 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 11:59:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232730 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x24FA9F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:00:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4733 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232738 Keywords=Audit Success Message=A member was removed from a security-enabled local group. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Member: Security ID: ATTACKRANGE\paba Account Name: CN=Patrick Bareiss,CN=Users,DC=attackrange,DC=local Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - 11/09/2020 12:00:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232737 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 12:00:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232735 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Member: Security ID: ATTACKRANGE\paba Account Name: CN=Patrick Bareiss,CN=Users,DC=attackrange,DC=local Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Additional Information: Privileges: - 11/09/2020 12:00:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=232734 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Group: Security ID: ATTACKRANGE\Domain Admins Group Name: Domain Admins Group Domain: ATTACKRANGE Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 11/09/2020 12:00:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232741 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2557C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:00:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232740 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2557C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62282 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232739 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2557C5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:00:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230812 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x16009D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230811 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x16009D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 12:00:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232742 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: paba Source Workstation: Error Code: 0x0 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230821 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x165829 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230820 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x165B24 Linked Logon ID: 0x165829 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230819 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x165829 Linked Logon ID: 0x165B24 Network Account Name: - Network Account Domain: - Logon GUID: {9DCBD252-F438-2FF1-529D-E128C226A8BF} Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230818 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: paba Account Domain: ATTACKRANGE Logon GUID: {9DCBD252-F438-2FF1-529D-E128C226A8BF} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 95.90.199.65 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230817 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x16220A Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230816 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x1621E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230815 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x16220A Linked Logon ID: 0x1621E4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230814 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x1621E4 Linked Logon ID: 0x16220A Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230813 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-3 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232748 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2565D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F142C89B-B498-A9EA-0BD5-9C0A02940594} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49907 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232747 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x2565D6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232746 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: paba@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9DCBD252-F438-2FF1-529D-E128C226A8BF} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49910 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232745 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: paba Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\paba Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49909 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232744 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: paba@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {9DCBD252-F438-2FF1-529D-E128C226A8BF} Service Information: Service Name: WIN-HOST-8$ Service ID: ATTACKRANGE\WIN-HOST-8$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49905 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:00:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232743 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: paba Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\paba Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49904 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 12:00:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232751 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x25676D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98736107-8AFB-EB64-AD24-B02F110311D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49907 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232750 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x25676D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:00:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232749 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: paba@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {4FC9C0D5-BBAD-CC74-FDE7-52BC31822C41} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49918 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:00:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=230824 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 11/09/2020 12:00:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230826 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 12:00:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230825 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232756 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x256782 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:00:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232755 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x256794 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:00:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232754 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x256794 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {98736107-8AFB-EB64-AD24-B02F110311D4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49920 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232753 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x256794 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:00:50 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232752 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x256782 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49919 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230850 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: paba@attackrange.local Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230849 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: paba@attackrange.local Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230848 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: paba@attackrange.local Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230847 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: paba@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230846 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: paba@attackrange.local Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\829b9e1c028dcd64314fe719df484e52_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230845 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: paba@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230844 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: paba@attackrange.local Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\829b9e1c028dcd64314fe719df484e52_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Write persisted key to file. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230843 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: paba@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230842 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: paba@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230841 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: paba@attackrange.local Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230840 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230839 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230838 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230837 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230836 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230835 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230834 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_e592d445-77f8-4f09-9dde-c74cee7316a9 Operation: Write persisted key to file. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230833 Keywords=Audit Failure Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230832 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8 Operation: Delete key file. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230831 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230830 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5059 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230829 Keywords=Audit Success Message=Key migration operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230828 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 12:00:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230827 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_a4ee36bd-fd63-46a0-a49f-c2b42395fbd8 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=System Integrity OpCode=Info RecordNumber=230852 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Other System Events OpCode=Info RecordNumber=230851 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 332fe7e7-d709-e3d8-af9e-7236c48f4c55 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c863ea31ca086d21d5ab6f408a21b763_51f82a1e-9fd6-46e2-8656-0a748eeada79 Operation: Read persisted key from file. Return Code: 0x0 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232764 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x25687D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232763 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x25687D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D114682D-4F2C-7693-07A0-6DA6E39387D6} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232762 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x25687D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232761 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: paba@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87BB7E0D-7AD4-154C-5165-45649AD499CC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49925 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232760 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x256866 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D114682D-4F2C-7693-07A0-6DA6E39387D6} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49922 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232759 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x256866 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232758 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: paba@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87BB7E0D-7AD4-154C-5165-45649AD499CC} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49924 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:00:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232757 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: paba@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {87BB7E0D-7AD4-154C-5165-45649AD499CC} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49923 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:01:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232765 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x256866 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:01:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230853 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x16009D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:01:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232768 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x25810E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:01:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232767 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x25810E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62294 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:01:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232766 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x25810E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:01:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232769 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x25906D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {924A9DE5-70F4-8511-80A9-D7CB530E1DA2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 49941 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232770 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-8$ Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x25906D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230854 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230855 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230856 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232772 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x25676D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232771 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x2565D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230857 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230858 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230859 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232775 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x259893 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232774 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x259893 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62307 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232773 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x259893 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:02:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=232776 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: paba Source Workstation: Error Code: 0x0 11/09/2020 12:02:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230861 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x217E65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230860 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x217E65 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230872 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x21E573 Logon Type: 10 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230871 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x21F3A3 Logon Type: 10 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232778 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: paba@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {197180CF-A21B-E391-E5D7-173A9F834F0D} Service Information: Service Name: WIN-HOST-8$ Service ID: ATTACKRANGE\WIN-HOST-8$ Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49957 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232777 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: paba Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\paba Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 49956 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230870 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x21E573 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230869 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x21F3A3 Linked Logon ID: 0x21E573 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230868 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 10 Restricted Admin Mode: No Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x21E573 Linked Logon ID: 0x21F3A3 Network Account Name: - Network Account Domain: - Logon GUID: {197180CF-A21B-E391-E5D7-173A9F834F0D} Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-HOST-8 Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230867 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: paba Account Domain: ATTACKRANGE Logon GUID: {197180CF-A21B-E391-E5D7-173A9F834F0D} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 95.90.199.65 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230866 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x21B571 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=230865 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x21B529 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230864 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x21B571 Linked Logon ID: 0x21B529 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x6c4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230863 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x21B529 Linked Logon ID: 0x21B571 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x6c4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:02:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230862 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-8$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-4 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x6c4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 12:02:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230874 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: Window Manager\DWM-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x21B529 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230873 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: Window Manager\DWM-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x21B571 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:02:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=230875 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE Logon ID: 0x217E65 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:03:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232781 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26000C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:03:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232780 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26000C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62331 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:03:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26000C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:03:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232787 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2603F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:03:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232786 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2603F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62334 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:03:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232785 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2603F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:03:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232784 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x260389 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:03:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232783 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x260389 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62333 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:03:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232782 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x260389 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232798 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2650BC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232797 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2651AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232796 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2651F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232795 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26526B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62340 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232794 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26526B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232793 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2651F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62343 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232792 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2651F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232791 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2651AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232790 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2651AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232789 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2650BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62342 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:03:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232788 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2650BC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232799 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26526B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232801 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x7F953 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {6DE0AB57-7589-5289-8F47-603B112EB969} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62355 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232800 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: Administrator@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {7569CF4C-5D91-D763-9E1B-B4A9BB96E421} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:04:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232804 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x269164 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232803 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x269164 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62360 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232802 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x269164 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232810 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232809 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232808 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232807 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232806 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232805 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232812 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Directory Service Access OpCode=Info RecordNumber=232811 Keywords=Audit Success Message=An operation was performed on an object. Subject : Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9}CN=Policies,CN=System,DC=attackrange,DC=local Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232822 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A457 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232821 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A49E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232820 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26A4FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62361 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232819 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A4FB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232818 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26A49E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62364 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232817 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A49E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232816 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26A457 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232815 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A457 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232814 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26A369 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62363 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232813 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A369 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232848 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E51B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232847 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E6FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232846 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E725 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232845 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26E725 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF21CF55-15BA-3497-4D95-3A018566576D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232844 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E725 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232843 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1F628F6-C7B9-0023-5287-105B75D88C44} Target Server: Target Server Name: win-dc-259$ Additional Information: win-dc-259$ Process Information: Process ID: 0x668 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232842 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1F628F6-C7B9-0023-5287-105B75D88C44} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232841 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232840 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26E6FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62369 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232839 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E6FF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232838 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E5D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232837 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E63A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232836 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26E63A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BF21CF55-15BA-3497-4D95-3A018566576D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232835 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E63A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232834 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1F628F6-C7B9-0023-5287-105B75D88C44} Target Server: Target Server Name: win-dc-259$ Additional Information: win-dc-259$ Process Information: Process ID: 0x668 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=232833 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-259$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {F1F628F6-C7B9-0023-5287-105B75D88C44} Service Information: Service Name: WIN-DC-259$ Service ID: ATTACKRANGE\WIN-DC-259$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=232832 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: WIN-DC-259$ Supplied Realm Name: ATTACKRANGE.LOCAL User ID: ATTACKRANGE\WIN-DC-259$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232831 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26E5D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 62368 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232830 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E5D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232829 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26E51B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62367 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232828 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26E51B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232827 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26B4C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232826 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26B4C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62365 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232825 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26B4C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232824 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A369 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:04:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4739 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Authentication Policy Change OpCode=Info RecordNumber=232823 Keywords=Audit Success Message=Domain Policy was changed. Change Type: Lockout Policy modified Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Domain: Domain Name: ATTACKRANGE Domain ID: ATTACKRANGE\ Changed Attributes: Min. Password Age: - Max. Password Age: - Force Logoff: - Lockout Threshold: 3 Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: - Additional Information: Privileges: - 11/09/2020 12:04:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232849 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26A4FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:05:15 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230876 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:05:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230877 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:05:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4740 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232850 Keywords=Audit Success Message=A user account was locked out. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Account That Was Locked Out: Security ID: ATTACKRANGE\paba Account Name: paba Additional Information: Caller Computer Name: 11/09/2020 12:05:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230878 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:05:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232853 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26F8DC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:05:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x26F8DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62380 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:05:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232851 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x26F8DC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:06:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232856 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x27106F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:06:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232855 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x27106F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62393 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:06:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232854 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x27106F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:06:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232857 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x4F538 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:07:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232860 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x272710 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:07:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232859 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x272710 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 62405 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:07:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232858 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x272710 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:07:54 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4767 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232862 Keywords=Audit Success Message=A user account was unlocked. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 12:07:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232864 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x275A97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {46CE51B2-1129-8D27-C87F-BB79CA75EC93} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 62416 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:07:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232863 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x275A97 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:08:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232866 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2760E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232865 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2760E8 Privileges: SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 11/09/2020 12:08:04 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230879 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230880 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4740 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232867 Keywords=Audit Success Message=A user account was locked out. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Account That Was Locked Out: Security ID: ATTACKRANGE\paba Account Name: paba Additional Information: Caller Computer Name: 11/09/2020 12:08:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230881 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232868 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x275A97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:08:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4767 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232870 Keywords=Audit Success Message=A user account was unlocked. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 12:08:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232873 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x277555 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:08:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232872 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x277555 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 52850 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232871 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x277555 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:08:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232879 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x27775E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:08:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232878 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x27775E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 52853 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232877 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x27775E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:08:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232876 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2776F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:08:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232875 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2776F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 52852 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232874 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2776F2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:08:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230882 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230883 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230884 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:08:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4740 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232880 Keywords=Audit Success Message=A user account was locked out. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Account That Was Locked Out: Security ID: ATTACKRANGE\paba Account Name: paba Additional Information: Caller Computer Name: 11/09/2020 12:08:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4767 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232882 Keywords=Audit Success Message=A user account was unlocked. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 12:08:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230885 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230886 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230887 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4740 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232883 Keywords=Audit Success Message=A user account was locked out. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Account That Was Locked Out: Security ID: ATTACKRANGE\paba Account Name: paba Additional Information: Caller Computer Name: 11/09/2020 12:09:15 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4767 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232885 Keywords=Audit Success Message=A user account was unlocked. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 12:09:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230888 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230889 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232888 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2804A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:09:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232887 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x2804A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 52866 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232886 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2804A5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:09:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4740 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232889 Keywords=Audit Success Message=A user account was locked out. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Account That Was Locked Out: Security ID: ATTACKRANGE\paba Account Name: paba Additional Information: Caller Computer Name: 11/09/2020 12:09:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230890 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280CC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232901 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280DED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232900 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280E33 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232899 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x280EEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 52874 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232898 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280EEE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232897 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x280E33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 52871 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232896 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280E33 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232895 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x280DED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {AF648D3B-9DFC-D76D-4EB4-DE1E7D1F56AF} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232894 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280DED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232893 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x280CC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 52870 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232892 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280CC8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232891 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x280CA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {918C43CF-BFF4-3A3F-B104-429BF877CCFA} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::87d:b372:8e35:4c82 Source Port: 52869 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232890 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280CA5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:09:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4767 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232904 Keywords=Audit Success Message=A user account was unlocked. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 12:09:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232905 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280EEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:09:55 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230891 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230892 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:09:59 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4740 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232906 Keywords=Audit Success Message=A user account was locked out. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Account That Was Locked Out: Security ID: ATTACKRANGE\paba Account Name: paba Additional Information: Caller Computer Name: 11/09/2020 12:09:59 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-8.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=230893 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: paba Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 95.90.199.65 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:10:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4767 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=User Account Management OpCode=Info RecordNumber=232908 Keywords=Audit Success Message=A user account was unlocked. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x7F953 Target Account: Security ID: ATTACKRANGE\paba Account Name: paba Account Domain: ATTACKRANGE 11/09/2020 12:10:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232911 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x28315B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:10:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232910 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x28315B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 52885 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:10:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232909 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x28315B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:11:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232912 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x280CA5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:11:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232913 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-259$ Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x2760E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:11:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232916 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x285959 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:11:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232915 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x285959 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 52897 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:11:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232914 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x285959 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/09/2020 12:12:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=232919 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x286FEF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/09/2020 12:12:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=232918 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x286FEF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DB272BE3-4DF3-D667-8299-EC117E9404D9} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 52910 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/09/2020 12:12:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-259.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=232917 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-259$ Account Domain: ATTACKRANGE Logon ID: 0x286FEF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege